Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 14:25
Static task
static1
Behavioral task
behavioral1
Sample
inquiry10204168.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
inquiry10204168.xlsx
Resource
win10v20201028
General
-
Target
inquiry10204168.xlsx
-
Size
2.4MB
-
MD5
d21391378bff7acab49dfce8761978f1
-
SHA1
c4a02857537b6b300f7ad279a6fe5660a473bda2
-
SHA256
0944f78b8f2bd0e3a08c56793f90cc82ac064789018cf04a2fde5476055d1214
-
SHA512
b2d7100141d27f01f3bf369a41b143350f94d01cb923995edd028d0c148e6b97660164f8d9b610cecde22d28db1dccc979f5942adc3bbd65f3d41e5396c08edb
Malware Config
Extracted
xloader
http://www.856380692.xyz/nsag/
usopencoverage.com
5bo5j.com
deliveryourvote.com
bestbuycarpethd.com
worldsourcecloud.com
glowtheblog.com
translations.tools
ithacapella.com
machinerysubway.com
aashlokhospitals.com
athara-kiano.com
anabittencourt.com
hakimkhawatmi.com
fashionwatchesstore.com
krishnagiri.info
tencenttexts.com
kodairo.com
ouitum.club
robertbeauford.net
polling.asia
evoslancete.com
4676sabalkey.com
chechadskeitaro.com
babyhopeful.com
11376.xyz
oryanomer.com
jyxxfy.com
scanourworld.com
thevistadrinksco.com
meow-cafe.com
xfixpros.com
botaniquecouture.com
bkhlep.xyz
mauriciozarate.com
icepolo.com
siyezim.com
myfeezinc.com
nooshone.com
wholesalerbargains.com
winabeel.com
frankfrango.com
patientsbooking.info
ineedahealer.com
thefamilyorchard.net
clericallyco.com
overseaexpert.com
bukaino.net
womens-secrets.love
skinjunkie.site
dccheavydutydiv.net
explorerthecity.com
droneserviceshouston.com
creationsbyjamie.com
profirma-nachfolge.com
oasisbracelet.com
maurobenetti.com
mecs.club
mistressofherdivinity.com
vooronsland.com
navia.world
commagx4.info
caresring.com
yourstrivingforexcellence.com
alpinevalleytimeshares.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/912-17-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1836-23-0x00000000000D0000-0x00000000000F8000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1976 EQNEDT32.EXE 8 1976 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1012 vbc.exe 912 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1976 EQNEDT32.EXE 1976 EQNEDT32.EXE 1976 EQNEDT32.EXE 1012 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exesystray.exedescription pid process target process PID 1012 set thread context of 912 1012 vbc.exe vbc.exe PID 912 set thread context of 1256 912 vbc.exe Explorer.EXE PID 1836 set thread context of 1256 1836 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1804 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
vbc.exevbc.exesystray.exepid process 1012 vbc.exe 1012 vbc.exe 1012 vbc.exe 1012 vbc.exe 912 vbc.exe 912 vbc.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe 1836 systray.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.exesystray.exepid process 1012 vbc.exe 912 vbc.exe 912 vbc.exe 912 vbc.exe 1836 systray.exe 1836 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exesystray.exedescription pid process Token: SeDebugPrivilege 912 vbc.exe Token: SeDebugPrivilege 1836 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1804 EXCEL.EXE 1804 EXCEL.EXE 1804 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEsystray.exedescription pid process target process PID 1976 wrote to memory of 1012 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1012 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1012 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1012 1976 EQNEDT32.EXE vbc.exe PID 1012 wrote to memory of 912 1012 vbc.exe vbc.exe PID 1012 wrote to memory of 912 1012 vbc.exe vbc.exe PID 1012 wrote to memory of 912 1012 vbc.exe vbc.exe PID 1012 wrote to memory of 912 1012 vbc.exe vbc.exe PID 1012 wrote to memory of 912 1012 vbc.exe vbc.exe PID 1256 wrote to memory of 1836 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 1836 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 1836 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 1836 1256 Explorer.EXE systray.exe PID 1836 wrote to memory of 1576 1836 systray.exe cmd.exe PID 1836 wrote to memory of 1576 1836 systray.exe cmd.exe PID 1836 wrote to memory of 1576 1836 systray.exe cmd.exe PID 1836 wrote to memory of 1576 1836 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inquiry10204168.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
C:\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
C:\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
\Users\Admin\AppData\Local\Temp\nsi8F65.tmp\93ni8zi9fd1f.dllMD5
6bb21314f484e79d6d6e4b2329ee68ef
SHA1e988cdc158cf6eb71e19afc946812d77f02ff370
SHA256c7f2500459484d1df8d6a2c6a391d39ba79c1343412eb0231d036fb036b0368a
SHA512ea1e7341484cb41d8081a6d018fb1f383727613cf228aa9fabb32405c8c8159d68e8572e5e0eb85b40de6538c540d837ee7b96c886739b449dd1b93c75ce1c09
-
\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
\Users\Public\vbc.exeMD5
f7ab1c6e6623676d14665c84fdc9aee4
SHA16d5b39ada2ead78c8977cb917cfee6e83180116f
SHA256e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
SHA51271239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
-
memory/652-6-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmpFilesize
2.5MB
-
memory/912-15-0x000000000041D000-mapping.dmp
-
memory/912-19-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/912-17-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/912-18-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1012-10-0x0000000000000000-mapping.dmp
-
memory/1256-27-0x00000000050F0000-0x00000000051CF000-memory.dmpFilesize
892KB
-
memory/1256-20-0x0000000006530000-0x000000000662D000-memory.dmpFilesize
1012KB
-
memory/1576-25-0x0000000000000000-mapping.dmp
-
memory/1804-3-0x0000000071BA1000-0x0000000071BA3000-memory.dmpFilesize
8KB
-
memory/1804-2-0x000000002F111000-0x000000002F114000-memory.dmpFilesize
12KB
-
memory/1804-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1836-21-0x0000000000000000-mapping.dmp
-
memory/1836-22-0x0000000000C90000-0x0000000000C95000-memory.dmpFilesize
20KB
-
memory/1836-23-0x00000000000D0000-0x00000000000F8000-memory.dmpFilesize
160KB
-
memory/1836-24-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1836-26-0x00000000003C0000-0x000000000044F000-memory.dmpFilesize
572KB
-
memory/1976-5-0x00000000767C1000-0x00000000767C3000-memory.dmpFilesize
8KB