Analysis
-
max time kernel
150s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 13:04
Static task
static1
Behavioral task
behavioral1
Sample
Refno.191938.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Refno.191938.xlsx
Resource
win10v20210410
General
-
Target
Refno.191938.xlsx
-
Size
319KB
-
MD5
a6ea0794f2791f9f2bdfcdb467122e6b
-
SHA1
83815a1977485c3fabdd49c91926d0482e3b78e1
-
SHA256
db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
-
SHA512
8e9d56848c8e9dc03676348ebc0b57b650cfe4a8c61d1d8825b68e7989f29eb83509e9a1d5d35fcdf9e81e1ddcd8ed6a80d7a947e5906965f9d42f89f7d6fc6d
Malware Config
Extracted
formbook
4.1
http://www.mvcsecrets.com/op9s/
uscoser.club
gustrad.com
sowftwer.com
psychicpatrol.com
lmouowgoaa.com
riandmoara.com
sushigardentogo.com
cannabimall.com
ecolodgesworld.com
mysandboxcsp.com
coxsmobility.com
sfs-distribution.info
tymict.com
u-bahn.online
chrisjohnsondrums.com
comfyscoffee.com
eastwoodlearningcenter.com
a-authenticate.com
greatroyalspices.com
legalparaprofessionalonline.com
cnn24.site
servinguprichard.com
kongtiaodz.com
priminerw.com
intrateknik.com
arabiangulfgames.com
berkona.com
herbaquni.com
aluarte.info
wuxkfowev.icu
digitalneeds.tech
practisepractice.com
upgradeindonesia.com
designinject.com
chinahousecoralville.com
clubliakinder.com
sialkot.city
evgreen.fund
crg-construction.com
rikrakprod.com
classsnk.com
e-motionaligner.com
beautyblissshops.com
pickyourprice.club
kraekratom.com
digitexz.online
drburcindemirel.com
thisislisajones.com
bridge-the-mind.net
skincodemtblo.com
elayathemodel.com
reinboge.net
banks-in-cambodia.com
earthkeepforum.com
vbyvictorious.com
vyne.net
bearring.info
jndaohang.com
iandautomation.com
puteraizman.com
earthlyangelshomecare.com
jumlasx.xyz
holdergear.com
bmwsns.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1816-80-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1816-81-0x000000000041ED40-mapping.dmp formbook behavioral1/memory/968-90-0x0000000000070000-0x000000000009E000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1844 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1184 vbc.exe 1816 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1844 EQNEDT32.EXE 1844 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execscript.exedescription pid process target process PID 1184 set thread context of 1816 1184 vbc.exe vbc.exe PID 1816 set thread context of 1288 1816 vbc.exe Explorer.EXE PID 968 set thread context of 1288 968 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEcscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1084 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vbc.execscript.exepid process 1816 vbc.exe 1816 vbc.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.execscript.exepid process 1816 vbc.exe 1816 vbc.exe 1816 vbc.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe 968 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.execscript.exedescription pid process Token: SeDebugPrivilege 1816 vbc.exe Token: SeDebugPrivilege 968 cscript.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1084 EXCEL.EXE 1084 EXCEL.EXE 1084 EXCEL.EXE 1184 vbc.exe 1184 vbc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcscript.exedescription pid process target process PID 1844 wrote to memory of 1184 1844 EQNEDT32.EXE vbc.exe PID 1844 wrote to memory of 1184 1844 EQNEDT32.EXE vbc.exe PID 1844 wrote to memory of 1184 1844 EQNEDT32.EXE vbc.exe PID 1844 wrote to memory of 1184 1844 EQNEDT32.EXE vbc.exe PID 1184 wrote to memory of 1764 1184 vbc.exe schtasks.exe PID 1184 wrote to memory of 1764 1184 vbc.exe schtasks.exe PID 1184 wrote to memory of 1764 1184 vbc.exe schtasks.exe PID 1184 wrote to memory of 1764 1184 vbc.exe schtasks.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1184 wrote to memory of 1816 1184 vbc.exe vbc.exe PID 1288 wrote to memory of 968 1288 Explorer.EXE cscript.exe PID 1288 wrote to memory of 968 1288 Explorer.EXE cscript.exe PID 1288 wrote to memory of 968 1288 Explorer.EXE cscript.exe PID 1288 wrote to memory of 968 1288 Explorer.EXE cscript.exe PID 968 wrote to memory of 1516 968 cscript.exe Firefox.exe PID 968 wrote to memory of 1516 968 cscript.exe Firefox.exe PID 968 wrote to memory of 1516 968 cscript.exe Firefox.exe PID 968 wrote to memory of 1516 968 cscript.exe Firefox.exe PID 968 wrote to memory of 1516 968 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Refno.191938.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fendlKCsOIoiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmpMD5
c075e6f1cbf46155b4e600e10c332a41
SHA17f62b2a1f8e9a6a443f959ca412e890693a0b2e9
SHA256f279f2322ed8baea8f698151105c2ce310b151c57a447941b716ee1f7e9474e5
SHA512272126a2b0f54d72410aa25f99ba5b4bb2bf91a3f298de9361ab9018c3e53f93d14c2afe471a05f95f24033bebf80ff323b3239892c0202e913d6fd62fdd1095
-
C:\Users\Public\vbc.exeMD5
106ada585df884b13cd6a8a71e404c78
SHA1470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
-
C:\Users\Public\vbc.exeMD5
106ada585df884b13cd6a8a71e404c78
SHA1470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
-
C:\Users\Public\vbc.exeMD5
106ada585df884b13cd6a8a71e404c78
SHA1470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
-
\Users\Public\vbc.exeMD5
106ada585df884b13cd6a8a71e404c78
SHA1470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
-
\Users\Public\vbc.exeMD5
106ada585df884b13cd6a8a71e404c78
SHA1470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
SHA512aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
-
memory/968-91-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/968-92-0x0000000001ED0000-0x0000000001F63000-memory.dmpFilesize
588KB
-
memory/968-89-0x0000000000280000-0x00000000002A2000-memory.dmpFilesize
136KB
-
memory/968-90-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/968-87-0x0000000000000000-mapping.dmp
-
memory/1084-60-0x000000002F781000-0x000000002F784000-memory.dmpFilesize
12KB
-
memory/1084-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1084-61-0x00000000715A1000-0x00000000715A3000-memory.dmpFilesize
8KB
-
memory/1084-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1184-77-0x0000000004EC0000-0x0000000004EF5000-memory.dmpFilesize
212KB
-
memory/1184-76-0x00000000052F0000-0x000000000536F000-memory.dmpFilesize
508KB
-
memory/1184-66-0x0000000000000000-mapping.dmp
-
memory/1184-73-0x00000000048F1000-0x00000000048F2000-memory.dmpFilesize
4KB
-
memory/1184-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1184-71-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/1184-74-0x00000000048F2000-0x00000000048F3000-memory.dmpFilesize
4KB
-
memory/1184-72-0x0000000000B60000-0x0000000000B6E000-memory.dmpFilesize
56KB
-
memory/1288-86-0x0000000006F50000-0x000000000707F000-memory.dmpFilesize
1.2MB
-
memory/1288-93-0x00000000049A0000-0x0000000004A62000-memory.dmpFilesize
776KB
-
memory/1516-94-0x0000000000000000-mapping.dmp
-
memory/1516-95-0x000000013F9E0000-0x000000013FA73000-memory.dmpFilesize
588KB
-
memory/1516-96-0x0000000000060000-0x000000000015B000-memory.dmpFilesize
1004KB
-
memory/1764-78-0x0000000000000000-mapping.dmp
-
memory/1816-85-0x0000000000170000-0x0000000000184000-memory.dmpFilesize
80KB
-
memory/1816-84-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1816-81-0x000000000041ED40-mapping.dmp
-
memory/1816-80-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1844-63-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB