Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 06:09
Static task
static1
Behavioral task
behavioral1
Sample
invoice.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
invoice.xlsx
Resource
win10v20201028
General
-
Target
invoice.xlsx
-
Size
2.2MB
-
MD5
a36c4741d6a05389b3a23ff5e5201930
-
SHA1
aacc6bd68a6b27041ac35148de613dae5423c8a3
-
SHA256
21f857a7997892d8c9a725f447b9b7be3ce2451a177fb6286da2deb8853208d9
-
SHA512
71434a45fb41026a4e4c339f1f4daabc1fbf0fe8cc7c434da49bf5a2fc87584b8396dd51fed15e54d8ee0a9e6febbedd003cd377493610576d79e85429ce7d6a
Malware Config
Extracted
xloader
2.3
http://www.emergencylocksmithsolutions.com/bei3/
cananevrensigorta.com
nyayayacho.com
delta8america.com
info-age.gmbh
magetu.info
illuqon.com
bohathome.com
kellydalva.com
hinkro.com
danlanproproductions.com
skkcabed.com
masnaoto.com
sourcelibre.net
www-1360666.com
ninekimchis.com
sgxzds.com
laysflavorsicons.com
vinkle.net
anazaczarowana.com
verneil.com
moxa-pro.com
chuckkie.com
ree-construction.com
valhallavets.com
familiarealtygroup.com
bavaria-cie.com
weightlossz.net
competitionlawsarvada.legal
samegameparlays.com
sandhillspursuit.com
all-playbet.net
nyiftsuppliersday.com
carrme.com
jinggongyuan.com
nixsit.com
macropools.com
chocolatesbrasilcacau.club
sgfwholesale.net
mybodtonheart.com
raganslandscapingllc.com
fvtnywveba.club
busybeecreates.com
chapterproductions.com
creativesupporters.com
336ac.com
socialmediahomegym.com
lngboiler.com
sirdesmonddesilvaqc.com
imangine.com
daroudi.com
xrpipeline.com
zhongziciliso.com
axelrodglobal.com
warrior.green
serpempirejel.club
nattyvell.com
sy928.com
forttrek.com
travelwithlowbudget.com
arpsmaths.info
essensedesigns.events
prosperfortuna.com
thesingaporeanabroad.com
shopwithdrive.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1324-27-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1964 EQNEDT32.EXE 8 1964 EQNEDT32.EXE 10 1964 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1480 vbc.exe 1756 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1964 EQNEDT32.EXE 1964 EQNEDT32.EXE 1964 EQNEDT32.EXE 1480 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exenetsh.exedescription pid process target process PID 1480 set thread context of 1756 1480 vbc.exe vbc.exe PID 1756 set thread context of 1268 1756 vbc.exe Explorer.EXE PID 1756 set thread context of 1268 1756 vbc.exe Explorer.EXE PID 1324 set thread context of 1268 1324 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1904 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
vbc.exenetsh.exepid process 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exevbc.exenetsh.exepid process 1480 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1324 netsh.exe 1324 netsh.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
vbc.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 1756 vbc.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeDebugPrivilege 1324 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1904 EXCEL.EXE 1904 EXCEL.EXE 1904 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exenetsh.exedescription pid process target process PID 1964 wrote to memory of 1480 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 1480 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 1480 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 1480 1964 EQNEDT32.EXE vbc.exe PID 1480 wrote to memory of 1756 1480 vbc.exe vbc.exe PID 1480 wrote to memory of 1756 1480 vbc.exe vbc.exe PID 1480 wrote to memory of 1756 1480 vbc.exe vbc.exe PID 1480 wrote to memory of 1756 1480 vbc.exe vbc.exe PID 1480 wrote to memory of 1756 1480 vbc.exe vbc.exe PID 1756 wrote to memory of 1324 1756 vbc.exe netsh.exe PID 1756 wrote to memory of 1324 1756 vbc.exe netsh.exe PID 1756 wrote to memory of 1324 1756 vbc.exe netsh.exe PID 1756 wrote to memory of 1324 1756 vbc.exe netsh.exe PID 1324 wrote to memory of 1848 1324 netsh.exe cmd.exe PID 1324 wrote to memory of 1848 1324 netsh.exe cmd.exe PID 1324 wrote to memory of 1848 1324 netsh.exe cmd.exe PID 1324 wrote to memory of 1848 1324 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
C:\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
C:\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
\Users\Admin\AppData\Local\Temp\nsn257C.tmp\uyx3hk1pib54.dllMD5
d5743cd1bd43046294e1590f0a688888
SHA19aee1728f2513452670443b687b85e8df3bc0fe3
SHA256fb2d6b8d2136e1c9bfde269bb45550df7f5ba5b22a93baaa0028f3224bcd3fbc
SHA512f5367280dfb65a13b659c1f45a41056c0ebeb1be08de00562386c2724b7791e1aff14442417214c90a0da472df7f0690c1d4f70f8d14f9aa31ce8e6178f43511
-
\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
\Users\Public\vbc.exeMD5
d074162909d26edf4001380da0ae4743
SHA1883ec0ac4125c74077865d2255d901a8b192ec3a
SHA2567b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d
SHA51282f02fd030dbbadaaef52af30f262743071e67d2cda8d049702ca081955c9d860ef52088b75a9dce00b311044f4eca1d7a95a41f6f79ed46ce5bd71f4b782484
-
memory/800-6-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1268-30-0x0000000006290000-0x00000000063FF000-memory.dmpFilesize
1.4MB
-
memory/1268-23-0x0000000006030000-0x0000000006146000-memory.dmpFilesize
1.1MB
-
memory/1268-21-0x0000000004540000-0x0000000004631000-memory.dmpFilesize
964KB
-
memory/1324-24-0x0000000000000000-mapping.dmp
-
memory/1324-26-0x00000000012F0000-0x000000000130B000-memory.dmpFilesize
108KB
-
memory/1324-29-0x0000000000D50000-0x0000000000DDF000-memory.dmpFilesize
572KB
-
memory/1324-28-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/1324-27-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1480-10-0x0000000000000000-mapping.dmp
-
memory/1480-17-0x0000000001D60000-0x0000000001D62000-memory.dmpFilesize
8KB
-
memory/1756-19-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1756-22-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/1756-20-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/1756-15-0x000000000041D0C0-mapping.dmp
-
memory/1756-18-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1848-25-0x0000000000000000-mapping.dmp
-
memory/1904-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1904-2-0x000000002F141000-0x000000002F144000-memory.dmpFilesize
12KB
-
memory/1904-3-0x00000000715E1000-0x00000000715E3000-memory.dmpFilesize
8KB
-
memory/1964-5-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB