Analysis
-
max time kernel
149s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 06:08
Static task
static1
Behavioral task
behavioral1
Sample
Products.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Products.xlsx
Resource
win10v20201028
General
-
Target
Products.xlsx
-
Size
446KB
-
MD5
aae56ba84519c7b28bba6f8240f2d169
-
SHA1
a90d2dcf16df76c5db19d2c48cb7148b4b675d75
-
SHA256
73b3fa9d738ba7f1e520e06b4760b77d9b044a3f5e96c9e13227255875e43bfa
-
SHA512
114b77853961ff46c52af2d38f4216f570aa5bab1b65d7b973db3725d1cebe9a68fead9e31ac54df2b41d2d3681c12886d09708481a82b1bfc13b52fc1c3395c
Malware Config
Extracted
xloader
2.3
http://www.paintersdistrictcouncil.com/vu9b/
longdoggy.net
gylvs.com
evonnemccray.com
nicemoneymaker.com
baby-schutzen.com
xgahovzm.icu
psdcompany.com
makeupjunkiewholesale.com
vz357.com
carshownet.com
forneyus.com
nfoptic.com
lampacosmetiques.com
newmandu.com
localupdate.net
theartofmajur1.com
bancosecurity.website
cabinhealthy.com
tiprent.com
lloydwellsandassociates.com
cekaventure.com
nahomredda.com
transitionmonster.com
apiquet.com
covidbizdisaster.com
darrelbrodkemd.com
sproutsocialleads.com
curtex.info
wsilhavy.net
regaltire.net
sellbulkweed.com
trumedenroll.com
pone2.com
jedinomad.net
sleekandshinebeauty.com
sango-style.com
bjshuangtai.net
shopasadesigns.com
siloamtree.com
happilyeverhughes.net
hayalpresst.com
wfdrc.icu
astronumerolan.com
pvplearing.net
moyoujf.com
bestwishesforyou.online
3erkala.xyz
calificatucasa.com
cuple.info
k-acad.com
iesco.net
investmentresourcesaz.com
4018398.com
cbluedotpanowdbuy.com
lllll0.com
plainsteelforsale.com
abarrotesflorita.com
tunemovie.website
dfendglobal.com
drvincewoodonline.com
support-applela.com
unclejoeandkamala2020.com
frrin.com
pennsylvaniapot.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-22-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1692-23-0x000000000041D0A0-mapping.dmp xloader behavioral1/memory/1032-32-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1780 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 620 vbc.exe 1784 vbc.exe 1692 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1780 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exemsiexec.exedescription pid process target process PID 620 set thread context of 1692 620 vbc.exe vbc.exe PID 1692 set thread context of 1200 1692 vbc.exe Explorer.EXE PID 1032 set thread context of 1200 1032 msiexec.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1752 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
vbc.exevbc.exemsiexec.exepid process 620 vbc.exe 620 vbc.exe 620 vbc.exe 620 vbc.exe 1692 vbc.exe 1692 vbc.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemsiexec.exepid process 1692 vbc.exe 1692 vbc.exe 1692 vbc.exe 1032 msiexec.exe 1032 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exemsiexec.exedescription pid process Token: SeDebugPrivilege 620 vbc.exe Token: SeDebugPrivilege 1692 vbc.exe Token: SeDebugPrivilege 1032 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1752 EXCEL.EXE 1752 EXCEL.EXE 1752 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EXCEL.EXEEQNEDT32.EXEvbc.exeExplorer.EXEdescription pid process target process PID 1752 wrote to memory of 1988 1752 EXCEL.EXE splwow64.exe PID 1752 wrote to memory of 1988 1752 EXCEL.EXE splwow64.exe PID 1752 wrote to memory of 1988 1752 EXCEL.EXE splwow64.exe PID 1752 wrote to memory of 1988 1752 EXCEL.EXE splwow64.exe PID 1780 wrote to memory of 620 1780 EQNEDT32.EXE vbc.exe PID 1780 wrote to memory of 620 1780 EQNEDT32.EXE vbc.exe PID 1780 wrote to memory of 620 1780 EQNEDT32.EXE vbc.exe PID 1780 wrote to memory of 620 1780 EQNEDT32.EXE vbc.exe PID 620 wrote to memory of 1784 620 vbc.exe vbc.exe PID 620 wrote to memory of 1784 620 vbc.exe vbc.exe PID 620 wrote to memory of 1784 620 vbc.exe vbc.exe PID 620 wrote to memory of 1784 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 620 wrote to memory of 1692 620 vbc.exe vbc.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1032 1200 Explorer.EXE msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Products.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
d381b0a2268051aa83b031ddc87ee7df
SHA17c580bde96219de369ad1503d62703e77c4c3fa6
SHA256da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
SHA512d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5
-
C:\Users\Public\vbc.exeMD5
d381b0a2268051aa83b031ddc87ee7df
SHA17c580bde96219de369ad1503d62703e77c4c3fa6
SHA256da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
SHA512d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5
-
C:\Users\Public\vbc.exeMD5
d381b0a2268051aa83b031ddc87ee7df
SHA17c580bde96219de369ad1503d62703e77c4c3fa6
SHA256da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
SHA512d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5
-
C:\Users\Public\vbc.exeMD5
d381b0a2268051aa83b031ddc87ee7df
SHA17c580bde96219de369ad1503d62703e77c4c3fa6
SHA256da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
SHA512d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5
-
\Users\Public\vbc.exeMD5
d381b0a2268051aa83b031ddc87ee7df
SHA17c580bde96219de369ad1503d62703e77c4c3fa6
SHA256da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
SHA512d06241c1a89819b9961cdaf1be2f30af6e44cbca51d702d87a9c3d57453242d5f688119726a6d87e4ece8bff7e8eb91706a18181443a86665ddeb44323aaa4e5
-
memory/620-17-0x0000000000680000-0x0000000000684000-memory.dmpFilesize
16KB
-
memory/620-10-0x0000000000000000-mapping.dmp
-
memory/620-13-0x000000006C130000-0x000000006C81E000-memory.dmpFilesize
6.9MB
-
memory/620-14-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/620-16-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/620-18-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/620-19-0x00000000053A0000-0x0000000005414000-memory.dmpFilesize
464KB
-
memory/620-20-0x00000000006B0000-0x00000000006DE000-memory.dmpFilesize
184KB
-
memory/1032-29-0x0000000000000000-mapping.dmp
-
memory/1032-34-0x0000000001F20000-0x0000000001FB0000-memory.dmpFilesize
576KB
-
memory/1032-33-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1032-31-0x0000000000570000-0x0000000000584000-memory.dmpFilesize
80KB
-
memory/1032-32-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1200-28-0x0000000004ED0000-0x0000000005028000-memory.dmpFilesize
1.3MB
-
memory/1684-8-0x000007FEF7160000-0x000007FEF73DA000-memory.dmpFilesize
2.5MB
-
memory/1692-22-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1692-23-0x000000000041D0A0-mapping.dmp
-
memory/1692-26-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1692-27-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/1752-3-0x0000000071011000-0x0000000071013000-memory.dmpFilesize
8KB
-
memory/1752-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1752-2-0x000000002F0F1000-0x000000002F0F4000-memory.dmpFilesize
12KB
-
memory/1780-7-0x0000000075EB1000-0x0000000075EB3000-memory.dmpFilesize
8KB
-
memory/1988-5-0x0000000000000000-mapping.dmp
-
memory/1988-6-0x000007FEFB811000-0x000007FEFB813000-memory.dmpFilesize
8KB