Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
Payment.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment.xlsx
Resource
win10v20210410
General
-
Target
Payment.xlsx
-
Size
1.3MB
-
MD5
05f49aa5b342dedd1d7b6673f3d8bc41
-
SHA1
9ca061b9851269f8b1d2fd990ebe119903a5f0fb
-
SHA256
3a6cc669542f5e3f9a801e9344b182c71e72396e27afbeac14eeb3d3be0b9498
-
SHA512
dc296422a45c34721b0746b1b3b34581def5b69b081718e790d4ad75e9e67c6f1afd6a5197ee48fba9d1d7c574ac95a4797b29ad4b2bfc094580fffa78513f2b
Malware Config
Extracted
xloader
2.3
http://www.cats16.com/8u3b/
pipienta.com
wisdomfest.net
jenniferreich.com
bigcanoehomesforless.com
kayandbernard.com
offerbuildingsecrets.com
benleefoto.com
contactlesssoftware.tech
statenislandplumbing.info
lifestylemedicineservices.com
blazerplanning.com
fnatic-skins.club
effectivemarketinginc.com
babyshopit.com
2000deal.com
k12paymentcemter.com
spwakd.com
lesreponses.com
abundando.com
hawkspremierfhc.com
midwestmadeclothing.com
kamuakuinisiapa.com
swirlingheadjewelry.com
donelys.com
stiloksero.com
hoangphucsolar.com
gb-contracting.com
girlboyfriends.com
decadejam.com
glassfullcoffee.com
todoparaconstruccion.com
anygivenrunday.com
newgalaxyindia.com
dahlonegaforless.com
blue-light.tech
web-evo.com
armmotive.com
mollysmulligan.com
penislandbrewer.com
wgrimao.com
dxm-int.net
sarmaayagroup.com
timbraunmusician.com
amazoncovid19tracer.com
peaknband.com
pyqxlz.com
palomachurch.com
surfboardwarehouse.net
burundiacademyst.com
pltcoin.com
workinglifestyle.com
vickybowskill.com
ottawahomevalues.info
jtrainterrain.com
francescoiocca.com
metallitypiercing.com
lashsavings.com
discjockeydelraybeach.com
indicraftsvilla.com
tbq.xyz
arfjkacsgatfzbazpdth.com
appsend.online
cunerier.com
orospucocuguatmaca.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/832-81-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/832-82-0x000000000041D0A0-mapping.dmp xloader behavioral1/memory/1296-91-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1072 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1528 vbc.exe 832 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 1072 EQNEDT32.EXE 1072 EQNEDT32.EXE 1072 EQNEDT32.EXE 1072 EQNEDT32.EXE 1072 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
vbc.exevbc.exedescription pid process target process PID 1528 set thread context of 832 1528 vbc.exe vbc.exe PID 832 set thread context of 1220 832 vbc.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1828 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exemsdt.exepid process 832 vbc.exe 832 vbc.exe 1296 msdt.exe 1296 msdt.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
vbc.exemsdt.exepid process 832 vbc.exe 832 vbc.exe 832 vbc.exe 1296 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exemsdt.exedescription pid process Token: SeDebugPrivilege 832 vbc.exe Token: SeDebugPrivilege 1296 msdt.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1528 vbc.exe 1528 vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEmsdt.exedescription pid process target process PID 1072 wrote to memory of 1528 1072 EQNEDT32.EXE vbc.exe PID 1072 wrote to memory of 1528 1072 EQNEDT32.EXE vbc.exe PID 1072 wrote to memory of 1528 1072 EQNEDT32.EXE vbc.exe PID 1072 wrote to memory of 1528 1072 EQNEDT32.EXE vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1528 wrote to memory of 832 1528 vbc.exe vbc.exe PID 1220 wrote to memory of 1296 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 1296 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 1296 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 1296 1220 Explorer.EXE msdt.exe PID 1296 wrote to memory of 1556 1296 msdt.exe cmd.exe PID 1296 wrote to memory of 1556 1296 msdt.exe cmd.exe PID 1296 wrote to memory of 1556 1296 msdt.exe cmd.exe PID 1296 wrote to memory of 1556 1296 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Payment.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
memory/832-82-0x000000000041D0A0-mapping.dmp
-
memory/832-81-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/832-86-0x00000000002F0000-0x0000000000301000-memory.dmpFilesize
68KB
-
memory/832-85-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1072-63-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1220-87-0x0000000006080000-0x0000000006211000-memory.dmpFilesize
1.6MB
-
memory/1296-91-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1296-92-0x0000000002270000-0x0000000002573000-memory.dmpFilesize
3.0MB
-
memory/1296-90-0x0000000000640000-0x0000000000734000-memory.dmpFilesize
976KB
-
memory/1296-88-0x0000000000000000-mapping.dmp
-
memory/1528-75-0x0000000001241000-0x0000000001242000-memory.dmpFilesize
4KB
-
memory/1528-80-0x0000000001210000-0x0000000001240000-memory.dmpFilesize
192KB
-
memory/1528-79-0x0000000005B40000-0x0000000005BB8000-memory.dmpFilesize
480KB
-
memory/1528-77-0x0000000000A80000-0x0000000000A8E000-memory.dmpFilesize
56KB
-
memory/1528-76-0x0000000001242000-0x0000000001243000-memory.dmpFilesize
4KB
-
memory/1528-69-0x0000000000000000-mapping.dmp
-
memory/1528-74-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/1528-72-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/1556-93-0x0000000000000000-mapping.dmp
-
memory/1828-60-0x000000002FDA1000-0x000000002FDA4000-memory.dmpFilesize
12KB
-
memory/1828-61-0x0000000071CA1000-0x0000000071CA3000-memory.dmpFilesize
8KB
-
memory/1828-78-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1828-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB