Analysis
-
max time kernel
148s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
GLC-2021-E025.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
GLC-2021-E025.xlsx
Resource
win10v20210410
General
-
Target
GLC-2021-E025.xlsx
-
Size
1.2MB
-
MD5
0b88672aa208666b2a856b6637517d45
-
SHA1
6a255c999480b1dc260944d0aa10eebc11cdd994
-
SHA256
8e2417d7d83848d639c70725fc66a8d81f46bbbf936b1442fd649ff4f2885c54
-
SHA512
879607423bcb6d80837b34268d1e798f2d9f4394aa4c576954f8a05776b46faab8f7b657a7feaeea2b9ab8e34d41c78bbd9f208572dc20646c0ae9a6192d7e93
Malware Config
Extracted
xloader
2.3
http://www.allodrh.com/qmf6/
triloxi.com
blackstogether.com
jctradingllc.com
debbieandlesa.com
badseedsco.com
tjlovers.com
creativeresourcesconsulting.com
ksmjobs.net
reginajohas.net
site123web.com
pracliphardware.com
lunchtimewithtwilyght.com
remotereel.com
spartanmu.com
porter-booking-engine.com
slouberdounces.com
certificationsarchive.com
kat420nip.com
prancegoldholdingsjewels.com
xn--botiqunbotnico-4gb1q.com
merlinevcenter.com
roofingmiramar.com
dtforex.com
firstpersondev.com
minx.wine
calleymarie.com
ansiolev.com
planetentertainment.net
solisdq.info
trumpkilledthekurds.com
prospecthomeinspection.com
mygoogle-account.com
8666gp.com
an-food.net
hapticfootwear.com
joonoocos.com
thebinarybit.com
sweclocker.com
suemylp.com
zipyay.com
kavusikhodro.com
michellekirbynd.com
flatminis.com
bellabodyweightloss.com
allhomeoffices.com
groovysmoothieandjuice.com
m230.site
oralfitnessdc.com
captureq.com
pawoldiaspora.com
abogatec.com
moknowstexting.com
juliathechild.com
theherbx.com
applymyname.com
we-love.coffee
s9c7s5f0d99.mobi
algerie24news-dz.com
raditpramudya.com
maritimotapas.com
starfish.wtf
girliot.com
freshampere.info
viennavatreeservice.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-76-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1092-85-0x00000000000C0000-0x00000000000E8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1336 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 872 vbc.exe 1528 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1336 EQNEDT32.EXE 1336 EQNEDT32.EXE 1336 EQNEDT32.EXE 1336 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewininit.exedescription pid process target process PID 872 set thread context of 1528 872 vbc.exe vbc.exe PID 1528 set thread context of 1196 1528 vbc.exe Explorer.EXE PID 1092 set thread context of 1196 1092 wininit.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 736 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exewininit.exepid process 1528 vbc.exe 1528 vbc.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe 1092 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.exewininit.exepid process 872 vbc.exe 1528 vbc.exe 1528 vbc.exe 1528 vbc.exe 1092 wininit.exe 1092 wininit.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
vbc.exeExplorer.EXEwininit.exedescription pid process Token: SeDebugPrivilege 1528 vbc.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeDebugPrivilege 1092 wininit.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 736 EXCEL.EXE 736 EXCEL.EXE 736 EXCEL.EXE 736 EXCEL.EXE 736 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwininit.exedescription pid process target process PID 1336 wrote to memory of 872 1336 EQNEDT32.EXE vbc.exe PID 1336 wrote to memory of 872 1336 EQNEDT32.EXE vbc.exe PID 1336 wrote to memory of 872 1336 EQNEDT32.EXE vbc.exe PID 1336 wrote to memory of 872 1336 EQNEDT32.EXE vbc.exe PID 872 wrote to memory of 1528 872 vbc.exe vbc.exe PID 872 wrote to memory of 1528 872 vbc.exe vbc.exe PID 872 wrote to memory of 1528 872 vbc.exe vbc.exe PID 872 wrote to memory of 1528 872 vbc.exe vbc.exe PID 872 wrote to memory of 1528 872 vbc.exe vbc.exe PID 1196 wrote to memory of 1092 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 1092 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 1092 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 1092 1196 Explorer.EXE wininit.exe PID 1092 wrote to memory of 1824 1092 wininit.exe cmd.exe PID 1092 wrote to memory of 1824 1092 wininit.exe cmd.exe PID 1092 wrote to memory of 1824 1092 wininit.exe cmd.exe PID 1092 wrote to memory of 1824 1092 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\GLC-2021-E025.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
memory/736-84-0x0000000006190000-0x0000000006DDA000-memory.dmpFilesize
12.3MB
-
memory/736-80-0x0000000006190000-0x0000000006DDA000-memory.dmpFilesize
12.3MB
-
memory/736-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/736-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/736-82-0x0000000006190000-0x0000000006DDA000-memory.dmpFilesize
12.3MB
-
memory/736-61-0x0000000070F51000-0x0000000070F53000-memory.dmpFilesize
8KB
-
memory/736-83-0x0000000006190000-0x0000000006DDA000-memory.dmpFilesize
12.3MB
-
memory/736-60-0x000000002F321000-0x000000002F324000-memory.dmpFilesize
12KB
-
memory/872-74-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/872-68-0x0000000000000000-mapping.dmp
-
memory/1092-87-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/1092-79-0x0000000000000000-mapping.dmp
-
memory/1092-81-0x00000000006E0000-0x00000000006FA000-memory.dmpFilesize
104KB
-
memory/1092-88-0x0000000000410000-0x000000000049F000-memory.dmpFilesize
572KB
-
memory/1092-85-0x00000000000C0000-0x00000000000E8000-memory.dmpFilesize
160KB
-
memory/1196-78-0x0000000003AE0000-0x0000000003BE9000-memory.dmpFilesize
1.0MB
-
memory/1196-89-0x0000000006F60000-0x00000000070E3000-memory.dmpFilesize
1.5MB
-
memory/1336-63-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1528-76-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1528-72-0x000000000041D030-mapping.dmp
-
memory/1528-75-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/1528-77-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1824-86-0x0000000000000000-mapping.dmp