Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Biomed quotation.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Biomed quotation.xlsx
Resource
win10v20210408
General
-
Target
Biomed quotation.xlsx
-
Size
461KB
-
MD5
cede2983cf919e588ecdaaa897ee843f
-
SHA1
4a17802328d5df28a50aa70dded5450ff9fe0107
-
SHA256
50a0ad7b25ca559bc2d753a6b5c7bcdc91d362977f3169f9d344ceef9e7c1cf8
-
SHA512
861701a236cd9d6f39351bc65f343b262966fbce5b9363cb9ae5bde8673aeb58396f1c08ac4c9fd32728cc1453064c4eaa7b1bb3e957896e6cc213fa1650b422
Malware Config
Extracted
formbook
4.1
http://www.kelurahanpatikidul.xyz/op9s/
playsystems-j.one
exchange.digital
usaleadsretrieval.com
mervegulistanaydin.com
heavythreadclothing.com
attorneyperu.com
lamuerteesdulce.com
catxirulo.com
willowrunconnemaras.com
laospecial.com
anchotrading.com
mycreditebook.com
jiujiu.plus
juniperconsulting.site
millionairsmindset.com
coronaviruscuredrugs.com
services-office.com
escanaim.com
20svip.com
pistonpounder.com
lasecrete.com
sabaimeds.com
madinatalmandi.com
jumlasx.xyz
smartspeicher.net
punkyprincess.com
herren-pharma.com
belfastoutboard.com
safifinancial.info
xn--15q04wjma805a84qsls.net
washingtonrealestatefinder.com
jewishdiaspora.com
aerinfranklin.com
taylorglennconsulting.com
fartoogood.com
samjinblock.com
minianimedoll.com
saporilog.com
littlebirdwire.com
xn--farmasi-kayt-c5b.com
purifiedgroup.com
purifymd.com
renewedspacesofva.com
pilardasaude.com
varietycomplex.com
leadsprovider.info
streamxvid.com
manuelbriand.com
hellosunshinecrafts.com
hellodecimal.com
4980057280880200.xyz
dynmit021.digital
hotdogvlog.com
fairyrugs.com
ievapocyte.com
prospecsports.com
proteknical.com
36rn.com
mongdols.com
rentportals.com
drcpzc.com
h59h.com
sonjowasi.com
nalanmeat.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-79-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1644-80-0x000000000041ED70-mapping.dmp formbook behavioral1/memory/1908-91-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1216 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 588 vbc.exe 292 vbc.exe 1644 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1216 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.execontrol.exedescription pid process target process PID 588 set thread context of 1644 588 vbc.exe vbc.exe PID 1644 set thread context of 1240 1644 vbc.exe Explorer.EXE PID 1644 set thread context of 1240 1644 vbc.exe Explorer.EXE PID 1908 set thread context of 1240 1908 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1108 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
vbc.exevbc.execontrol.exepid process 588 vbc.exe 588 vbc.exe 588 vbc.exe 588 vbc.exe 1644 vbc.exe 1644 vbc.exe 1644 vbc.exe 1908 control.exe 1908 control.exe 1908 control.exe 1908 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.execontrol.exepid process 1644 vbc.exe 1644 vbc.exe 1644 vbc.exe 1644 vbc.exe 1908 control.exe 1908 control.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.execontrol.exedescription pid process Token: SeDebugPrivilege 588 vbc.exe Token: SeDebugPrivilege 1644 vbc.exe Token: SeDebugPrivilege 1908 control.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcontrol.exedescription pid process target process PID 1216 wrote to memory of 588 1216 EQNEDT32.EXE vbc.exe PID 1216 wrote to memory of 588 1216 EQNEDT32.EXE vbc.exe PID 1216 wrote to memory of 588 1216 EQNEDT32.EXE vbc.exe PID 1216 wrote to memory of 588 1216 EQNEDT32.EXE vbc.exe PID 588 wrote to memory of 1512 588 vbc.exe schtasks.exe PID 588 wrote to memory of 1512 588 vbc.exe schtasks.exe PID 588 wrote to memory of 1512 588 vbc.exe schtasks.exe PID 588 wrote to memory of 1512 588 vbc.exe schtasks.exe PID 588 wrote to memory of 292 588 vbc.exe vbc.exe PID 588 wrote to memory of 292 588 vbc.exe vbc.exe PID 588 wrote to memory of 292 588 vbc.exe vbc.exe PID 588 wrote to memory of 292 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 588 wrote to memory of 1644 588 vbc.exe vbc.exe PID 1240 wrote to memory of 1908 1240 Explorer.EXE control.exe PID 1240 wrote to memory of 1908 1240 Explorer.EXE control.exe PID 1240 wrote to memory of 1908 1240 Explorer.EXE control.exe PID 1240 wrote to memory of 1908 1240 Explorer.EXE control.exe PID 1908 wrote to memory of 1496 1908 control.exe cmd.exe PID 1908 wrote to memory of 1496 1908 control.exe cmd.exe PID 1908 wrote to memory of 1496 1908 control.exe cmd.exe PID 1908 wrote to memory of 1496 1908 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Biomed quotation.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBJPnHZv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD72.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFD72.tmpMD5
b01c4334054d94b23fdb51817d057763
SHA10e3caa92c4e146bf09c7945d2d2581082921f87f
SHA256bfd9993acf04591c3e4a03cc57e6e26e4b22d0df17505e1cd758e5f36f1d6e8a
SHA512b4a4cdfe57d39935d7eefb9c5d00433be3d01682fa04811db9112293557c6bb9213c80d9ccc594a043b2fa54c9bdcc84a47263d8c38afe4cf89ea08750fff957
-
C:\Users\Public\vbc.exeMD5
0162655d37168ffb03c4afafad5ef674
SHA1185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
SHA2569fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA5120daef250eea1bfcc0b95d9f828b9bf8b428d801dcbf120b98e60e0b9f95c841bd1597453abf601722a8c11b5fc0f29cbe193727e1c920c1cd389f8f6471c993b
-
C:\Users\Public\vbc.exeMD5
0162655d37168ffb03c4afafad5ef674
SHA1185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
SHA2569fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA5120daef250eea1bfcc0b95d9f828b9bf8b428d801dcbf120b98e60e0b9f95c841bd1597453abf601722a8c11b5fc0f29cbe193727e1c920c1cd389f8f6471c993b
-
C:\Users\Public\vbc.exeMD5
0162655d37168ffb03c4afafad5ef674
SHA1185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
SHA2569fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA5120daef250eea1bfcc0b95d9f828b9bf8b428d801dcbf120b98e60e0b9f95c841bd1597453abf601722a8c11b5fc0f29cbe193727e1c920c1cd389f8f6471c993b
-
C:\Users\Public\vbc.exeMD5
0162655d37168ffb03c4afafad5ef674
SHA1185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
SHA2569fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA5120daef250eea1bfcc0b95d9f828b9bf8b428d801dcbf120b98e60e0b9f95c841bd1597453abf601722a8c11b5fc0f29cbe193727e1c920c1cd389f8f6471c993b
-
\Users\Public\vbc.exeMD5
0162655d37168ffb03c4afafad5ef674
SHA1185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
SHA2569fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA5120daef250eea1bfcc0b95d9f828b9bf8b428d801dcbf120b98e60e0b9f95c841bd1597453abf601722a8c11b5fc0f29cbe193727e1c920c1cd389f8f6471c993b
-
memory/588-68-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB
-
memory/588-70-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/588-71-0x0000000000440000-0x0000000000449000-memory.dmpFilesize
36KB
-
memory/588-72-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/588-74-0x0000000004E90000-0x0000000004F05000-memory.dmpFilesize
468KB
-
memory/588-75-0x0000000000A70000-0x0000000000AA3000-memory.dmpFilesize
204KB
-
memory/588-65-0x0000000000000000-mapping.dmp
-
memory/1108-61-0x0000000071D01000-0x0000000071D03000-memory.dmpFilesize
8KB
-
memory/1108-60-0x000000002FFF1000-0x000000002FFF4000-memory.dmpFilesize
12KB
-
memory/1108-73-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1108-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1216-63-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1240-87-0x00000000067B0000-0x00000000068B5000-memory.dmpFilesize
1.0MB
-
memory/1240-85-0x00000000063E0000-0x0000000006533000-memory.dmpFilesize
1.3MB
-
memory/1240-95-0x0000000006970000-0x0000000006ACF000-memory.dmpFilesize
1.4MB
-
memory/1496-92-0x0000000000000000-mapping.dmp
-
memory/1512-76-0x0000000000000000-mapping.dmp
-
memory/1644-83-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1644-86-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1644-80-0x000000000041ED70-mapping.dmp
-
memory/1644-84-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/1644-79-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1908-88-0x0000000000000000-mapping.dmp
-
memory/1908-90-0x00000000008A0000-0x00000000008BF000-memory.dmpFilesize
124KB
-
memory/1908-91-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1908-93-0x0000000001FE0000-0x00000000022E3000-memory.dmpFilesize
3.0MB
-
memory/1908-94-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB