Analysis
-
max time kernel
148s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
Payment.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Payment.xlsx
Resource
win10v20210408
General
-
Target
Payment.xlsx
-
Size
1.3MB
-
MD5
05f49aa5b342dedd1d7b6673f3d8bc41
-
SHA1
9ca061b9851269f8b1d2fd990ebe119903a5f0fb
-
SHA256
3a6cc669542f5e3f9a801e9344b182c71e72396e27afbeac14eeb3d3be0b9498
-
SHA512
dc296422a45c34721b0746b1b3b34581def5b69b081718e790d4ad75e9e67c6f1afd6a5197ee48fba9d1d7c574ac95a4797b29ad4b2bfc094580fffa78513f2b
Malware Config
Extracted
xloader
2.3
http://www.cats16.com/8u3b/
pipienta.com
wisdomfest.net
jenniferreich.com
bigcanoehomesforless.com
kayandbernard.com
offerbuildingsecrets.com
benleefoto.com
contactlesssoftware.tech
statenislandplumbing.info
lifestylemedicineservices.com
blazerplanning.com
fnatic-skins.club
effectivemarketinginc.com
babyshopit.com
2000deal.com
k12paymentcemter.com
spwakd.com
lesreponses.com
abundando.com
hawkspremierfhc.com
midwestmadeclothing.com
kamuakuinisiapa.com
swirlingheadjewelry.com
donelys.com
stiloksero.com
hoangphucsolar.com
gb-contracting.com
girlboyfriends.com
decadejam.com
glassfullcoffee.com
todoparaconstruccion.com
anygivenrunday.com
newgalaxyindia.com
dahlonegaforless.com
blue-light.tech
web-evo.com
armmotive.com
mollysmulligan.com
penislandbrewer.com
wgrimao.com
dxm-int.net
sarmaayagroup.com
timbraunmusician.com
amazoncovid19tracer.com
peaknband.com
pyqxlz.com
palomachurch.com
surfboardwarehouse.net
burundiacademyst.com
pltcoin.com
workinglifestyle.com
vickybowskill.com
ottawahomevalues.info
jtrainterrain.com
francescoiocca.com
metallitypiercing.com
lashsavings.com
discjockeydelraybeach.com
indicraftsvilla.com
tbq.xyz
arfjkacsgatfzbazpdth.com
appsend.online
cunerier.com
orospucocuguatmaca.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1532-80-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1532-81-0x000000000041D0A0-mapping.dmp xloader behavioral1/memory/620-93-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 332 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1828 vbc.exe 1532 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 332 EQNEDT32.EXE 332 EQNEDT32.EXE 332 EQNEDT32.EXE 332 EQNEDT32.EXE 332 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exeipconfig.exedescription pid process target process PID 1828 set thread context of 1532 1828 vbc.exe vbc.exe PID 1532 set thread context of 1292 1532 vbc.exe Explorer.EXE PID 1532 set thread context of 1292 1532 vbc.exe Explorer.EXE PID 620 set thread context of 1292 620 ipconfig.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 620 ipconfig.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1116 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exeipconfig.exepid process 1532 vbc.exe 1532 vbc.exe 1532 vbc.exe 620 ipconfig.exe 620 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeipconfig.exepid process 1532 vbc.exe 1532 vbc.exe 1532 vbc.exe 1532 vbc.exe 620 ipconfig.exe 620 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeipconfig.exedescription pid process Token: SeDebugPrivilege 1532 vbc.exe Token: SeDebugPrivilege 620 ipconfig.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1116 EXCEL.EXE 1116 EXCEL.EXE 1116 EXCEL.EXE 1828 vbc.exe 1828 vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEipconfig.exedescription pid process target process PID 332 wrote to memory of 1828 332 EQNEDT32.EXE vbc.exe PID 332 wrote to memory of 1828 332 EQNEDT32.EXE vbc.exe PID 332 wrote to memory of 1828 332 EQNEDT32.EXE vbc.exe PID 332 wrote to memory of 1828 332 EQNEDT32.EXE vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1828 wrote to memory of 1532 1828 vbc.exe vbc.exe PID 1292 wrote to memory of 620 1292 Explorer.EXE ipconfig.exe PID 1292 wrote to memory of 620 1292 Explorer.EXE ipconfig.exe PID 1292 wrote to memory of 620 1292 Explorer.EXE ipconfig.exe PID 1292 wrote to memory of 620 1292 Explorer.EXE ipconfig.exe PID 620 wrote to memory of 1072 620 ipconfig.exe cmd.exe PID 620 wrote to memory of 1072 620 ipconfig.exe cmd.exe PID 620 wrote to memory of 1072 620 ipconfig.exe cmd.exe PID 620 wrote to memory of 1072 620 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Payment.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
C:\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
\Users\Public\vbc.exeMD5
5551346aa9f251895021b95a2a7cc390
SHA1acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA2569e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
SHA51235e43a0f2ef1dd2dfaf921d8af3a4f3ef0f4675479d496141358561c84a3b8c8b1a5bd9497fe6c26757d3e6637edab538ac587d73bc6d47e9b90b751abf55ba3
-
memory/332-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/620-92-0x0000000000300000-0x000000000030A000-memory.dmpFilesize
40KB
-
memory/620-95-0x0000000001F00000-0x0000000001F90000-memory.dmpFilesize
576KB
-
memory/620-94-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/620-93-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/620-89-0x0000000000000000-mapping.dmp
-
memory/1072-91-0x0000000000000000-mapping.dmp
-
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1116-60-0x0000000071B01000-0x0000000071B03000-memory.dmpFilesize
8KB
-
memory/1116-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1116-59-0x000000002F9C1000-0x000000002F9C4000-memory.dmpFilesize
12KB
-
memory/1292-96-0x0000000006A00000-0x0000000006AC6000-memory.dmpFilesize
792KB
-
memory/1292-88-0x0000000006DA0000-0x0000000006EBB000-memory.dmpFilesize
1.1MB
-
memory/1292-86-0x0000000004740000-0x0000000004833000-memory.dmpFilesize
972KB
-
memory/1532-85-0x0000000000140000-0x0000000000151000-memory.dmpFilesize
68KB
-
memory/1532-84-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/1532-81-0x000000000041D0A0-mapping.dmp
-
memory/1532-80-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1532-87-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1828-79-0x0000000004790000-0x00000000047C0000-memory.dmpFilesize
192KB
-
memory/1828-78-0x00000000052F0000-0x0000000005368000-memory.dmpFilesize
480KB
-
memory/1828-76-0x00000000004F0000-0x00000000004FE000-memory.dmpFilesize
56KB
-
memory/1828-75-0x0000000004EF2000-0x0000000004EF3000-memory.dmpFilesize
4KB
-
memory/1828-74-0x0000000004EF1000-0x0000000004EF2000-memory.dmpFilesize
4KB
-
memory/1828-73-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/1828-71-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1828-68-0x0000000000000000-mapping.dmp