Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 07:19
Static task
static1
Behavioral task
behavioral1
Sample
payment detail.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
payment detail.xlsx
Resource
win10v20210408
General
-
Target
payment detail.xlsx
-
Size
1.3MB
-
MD5
6eb0b98b71b47226880cf66454012b21
-
SHA1
775fa55b338f7409f5f505e1e453177f02a5014c
-
SHA256
712a54a86587b69b9520604ddc0f1257298b086cc96b526b5ee9e18a4daddb6d
-
SHA512
2f099c80afd0aa95fb904f556a34a50996d05c631b6e7f8ed45458d9ae6fa794e7d1e27b3e05130a4402a0ef47988ec1c27f9ca74804c34ca17bf9f5a6167481
Malware Config
Extracted
xloader
2.3
http://www.tjbc-bearing.com/u6bi/
5588aiai.com
sint-ecommerce.com
epreyn.com
unexpectedbrewing.com
pomiandpam.com
viverdebatatas.com
dirham.world
accademiadelfuturo.net
mengyaheng.com
ilocalrealtor.com
glomiotel.website
metal1sa.com
kslife.net
maxfitnesslakeoconee.com
hoteldeleauvive.com
sidingzhou.com
getvocall.com
basicryptomining.com
indiasofannapolis.com
tresorbrut.com
majesticmanicures.com
fstreamztv.com
gohospo.net
divineryoga.com
daiye.net
shopnjteamstersfc.com
vartomp.wales
xn--ikkonentra-3ib.com
thejasonjournal.com
uluuclub.com
qlitepower.com
edimetics.com
citestaccnt1598597207.com
vincedoeslife.info
itsoriente.com
29atlantic.com
2021cacondo.com
vac.one
rebeccacorreiadance.com
bladingelse.com
vm-agritech-ltd.net
tiltyi.com
buntunm3.com
obluebeltpanomall.com
pvbankonline.com
dlqvisa.com
morganrealtyinc.net
semmedodigital.com
thrivemilano.com
satyamsofficial.com
kitchenchampsclub.com
aervius.com
htchotshot.com
alephpos.com
midfirstprivagebank.com
puzzlesvr.com
tbwhzp.com
kyuramenstatenisland.com
snackwine.com
terangatourisme.com
cophi.net
sdnjjywlc.com
ukdooss.icu
sumayyaejaz.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/916-82-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/916-83-0x000000000041D040-mapping.dmp xloader behavioral1/memory/240-91-0x00000000000C0000-0x00000000000E8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1744 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 948 vbc.exe 916 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1744 EQNEDT32.EXE 1744 EQNEDT32.EXE 1744 EQNEDT32.EXE 1744 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exesvchost.exedescription pid process target process PID 948 set thread context of 916 948 vbc.exe vbc.exe PID 916 set thread context of 1228 916 vbc.exe Explorer.EXE PID 240 set thread context of 1228 240 svchost.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1756 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
vbc.exesvchost.exepid process 916 vbc.exe 916 vbc.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exesvchost.exepid process 916 vbc.exe 916 vbc.exe 916 vbc.exe 240 svchost.exe 240 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 916 vbc.exe Token: SeDebugPrivilege 240 svchost.exe Token: SeShutdownPrivilege 1228 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1756 EXCEL.EXE 1756 EXCEL.EXE 1756 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEsvchost.exedescription pid process target process PID 1744 wrote to memory of 948 1744 EQNEDT32.EXE vbc.exe PID 1744 wrote to memory of 948 1744 EQNEDT32.EXE vbc.exe PID 1744 wrote to memory of 948 1744 EQNEDT32.EXE vbc.exe PID 1744 wrote to memory of 948 1744 EQNEDT32.EXE vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 948 wrote to memory of 916 948 vbc.exe vbc.exe PID 1228 wrote to memory of 240 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 240 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 240 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 240 1228 Explorer.EXE svchost.exe PID 240 wrote to memory of 1768 240 svchost.exe cmd.exe PID 240 wrote to memory of 1768 240 svchost.exe cmd.exe PID 240 wrote to memory of 1768 240 svchost.exe cmd.exe PID 240 wrote to memory of 1768 240 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\payment detail.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
C:\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
C:\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
\Users\Public\vbc.exeMD5
7ceecb14777497d950fef12be23cb30d
SHA1a0ad7d5adb5cf2ddc4aa993988ce48dde92c2e5e
SHA256e7fa638aceedeb8dbe7baeb928d639a6a1498a6fb2385f06c9ce40e01e7b9e16
SHA512291c87baba3e39212811f3cf43aca034d751bcaf2a3e0e5293c47d277bd3238e911ded0bde8f3a07bccafdee7aefbe953cd8f72690913736c0bfc9c07a0c61c9
-
memory/240-90-0x0000000000C40000-0x0000000000C48000-memory.dmpFilesize
32KB
-
memory/240-91-0x00000000000C0000-0x00000000000E8000-memory.dmpFilesize
160KB
-
memory/240-92-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/240-88-0x0000000000000000-mapping.dmp
-
memory/240-93-0x0000000000620000-0x00000000006AF000-memory.dmpFilesize
572KB
-
memory/916-82-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/916-86-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/916-85-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/916-83-0x000000000041D040-mapping.dmp
-
memory/948-68-0x0000000000000000-mapping.dmp
-
memory/948-73-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/948-79-0x0000000000600000-0x000000000061B000-memory.dmpFilesize
108KB
-
memory/948-80-0x0000000005EE0000-0x0000000005F52000-memory.dmpFilesize
456KB
-
memory/948-81-0x0000000000C20000-0x0000000000C4F000-memory.dmpFilesize
188KB
-
memory/948-71-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/1228-87-0x0000000004D00000-0x0000000004E23000-memory.dmpFilesize
1.1MB
-
memory/1744-63-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1756-77-0x0000000006020000-0x0000000006C6A000-memory.dmpFilesize
12.3MB
-
memory/1756-74-0x0000000006020000-0x0000000006C6A000-memory.dmpFilesize
12.3MB
-
memory/1756-75-0x0000000006020000-0x0000000006C6A000-memory.dmpFilesize
12.3MB
-
memory/1756-76-0x0000000006020000-0x0000000006C6A000-memory.dmpFilesize
12.3MB
-
memory/1756-60-0x000000002F911000-0x000000002F914000-memory.dmpFilesize
12KB
-
memory/1756-78-0x0000000006020000-0x0000000006C6A000-memory.dmpFilesize
12.3MB
-
memory/1756-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1756-61-0x0000000071521000-0x0000000071523000-memory.dmpFilesize
8KB
-
memory/1768-89-0x0000000000000000-mapping.dmp