Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 19:14
Static task
static1
Behavioral task
behavioral1
Sample
03052021.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
03052021.xlsx
Resource
win10v20201028
General
-
Target
03052021.xlsx
-
Size
2.7MB
-
MD5
7d4798dccbd61d8cebb3f9541139276a
-
SHA1
40a3a4635f797e1436414700a3f6611aa9d7abd4
-
SHA256
99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f
-
SHA512
0cfa1b86d4ba2f5c42778a097b145440cc35a124bf68796d882100cd89ea5b3500e95be3be3678d8b8cca1087731d8dd8f7beae339e3cf379e94c9812250277a
Malware Config
Extracted
xloader
http://www.rizrvd.com/bw82/
fundamentaliemef.com
gallerybrows.com
leadeligey.com
octoberx2.online
climaxnovels.com
gdsjgf.com
curateherstories.com
blacksailus.com
yjpps.com
gmobilet.com
fcoins.club
foreverlive2027.com
healthyfifties.com
wmarquezy.com
housebulb.com
thebabyfriendly.com
primajayaintiperkasa.com
learnplaychess.com
chrisbubser.digital
xn--avenr-wsa.com
exlineinsurance.com
thrivezi.com
tuvandadayvitos24h.online
illfingers.com
usmedicarenow.com
pandabutik.com
engageautism.info
magnabeautystyle.com
texasdryroof.com
woodlandpizzahartford.com
dameadamea.com
sedaskincare.com
ruaysatu99.com
mybestaide.com
nikolaichan.com
mrcabinetkitchenandbath.com
ondemandbarbering.com
activagebenefits.net
srcsvcs.com
cbrealvitalize.com
ismaelworks.com
medkomp.online
ninasangtani.com
h2oturkiye.com
kolamart.com
acdfr.com
twistedtailgatesweeps1.com
ramjamdee.com
thedancehalo.com
joeisono.com
glasshouseroadtrip.com
okcpp.com
riggsfarmfenceservices.com
mgg360.com
xn--oi2b190cymc.com
ctfocbdwholesale.com
openspiers.com
rumblingrambles.com
thepoetrictedstudio.com
magiclabs.media
wellnesssensation.com
lakegastonautoparts.com
dealsonwheeeles.com
semenboostplus.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/676-21-0x000000000041CFF0-mapping.dmp xloader behavioral1/memory/676-20-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1100-30-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1788 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 436 vbc.exe 676 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1788 EQNEDT32.EXE 1788 EQNEDT32.EXE 1788 EQNEDT32.EXE 1788 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeNAPSTAT.EXEdescription pid process target process PID 436 set thread context of 676 436 vbc.exe vbc.exe PID 676 set thread context of 1276 676 vbc.exe Explorer.EXE PID 1100 set thread context of 1276 1100 NAPSTAT.EXE Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1924 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
vbc.exeNAPSTAT.EXEpid process 676 vbc.exe 676 vbc.exe 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeNAPSTAT.EXEpid process 676 vbc.exe 676 vbc.exe 676 vbc.exe 1100 NAPSTAT.EXE 1100 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 676 vbc.exe Token: SeDebugPrivilege 1100 NAPSTAT.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1924 EXCEL.EXE 1924 EXCEL.EXE 1924 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1788 wrote to memory of 436 1788 EQNEDT32.EXE vbc.exe PID 1788 wrote to memory of 436 1788 EQNEDT32.EXE vbc.exe PID 1788 wrote to memory of 436 1788 EQNEDT32.EXE vbc.exe PID 1788 wrote to memory of 436 1788 EQNEDT32.EXE vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 436 wrote to memory of 676 436 vbc.exe vbc.exe PID 1276 wrote to memory of 1100 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 1100 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 1100 1276 Explorer.EXE NAPSTAT.EXE PID 1276 wrote to memory of 1100 1276 Explorer.EXE NAPSTAT.EXE PID 1100 wrote to memory of 552 1100 NAPSTAT.EXE cmd.exe PID 1100 wrote to memory of 552 1100 NAPSTAT.EXE cmd.exe PID 1100 wrote to memory of 552 1100 NAPSTAT.EXE cmd.exe PID 1100 wrote to memory of 552 1100 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\03052021.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
C:\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
C:\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
\Users\Public\vbc.exeMD5
1c7a241966323185ddea3b121d08b14a
SHA12d9a41bfbad3416321e1913e92f8ee8c8d4e8c7e
SHA2569f5ee7d9915ac3e6f684c7e22555357b5c43c6ca6cbaca8a974b667b51a3ba51
SHA512f7278a13422e24881ebf4444de998ebc91fdadf068d0350e2f139e3eeaf905de961d83b2ffd8a0e560cb04f4da55faa07be3b96b2ee4b0a29b1bcd5e0fc5aeb5
-
memory/436-17-0x00000000005D0000-0x00000000005D7000-memory.dmpFilesize
28KB
-
memory/436-18-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/436-11-0x0000000000000000-mapping.dmp
-
memory/436-19-0x0000000002210000-0x000000000225F000-memory.dmpFilesize
316KB
-
memory/436-14-0x000000006C810000-0x000000006CEFE000-memory.dmpFilesize
6.9MB
-
memory/436-15-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/552-28-0x0000000000000000-mapping.dmp
-
memory/676-20-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/676-21-0x000000000041CFF0-mapping.dmp
-
memory/676-24-0x0000000000A80000-0x0000000000D83000-memory.dmpFilesize
3.0MB
-
memory/676-25-0x0000000000210000-0x0000000000220000-memory.dmpFilesize
64KB
-
memory/1100-29-0x0000000000800000-0x0000000000846000-memory.dmpFilesize
280KB
-
memory/1100-33-0x0000000002280000-0x000000000230F000-memory.dmpFilesize
572KB
-
memory/1100-31-0x0000000001F70000-0x0000000002273000-memory.dmpFilesize
3.0MB
-
memory/1100-30-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1100-27-0x0000000000000000-mapping.dmp
-
memory/1276-26-0x0000000003E60000-0x0000000003FC5000-memory.dmpFilesize
1.4MB
-
memory/1664-6-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmpFilesize
2.5MB
-
memory/1788-5-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1924-2-0x000000002F9D1000-0x000000002F9D4000-memory.dmpFilesize
12KB
-
memory/1924-3-0x0000000071821000-0x0000000071823000-memory.dmpFilesize
8KB
-
memory/1924-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB