Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 16:07
Static task
static1
Behavioral task
behavioral1
Sample
GLC-2021-E025(1).xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
GLC-2021-E025(1).xlsx
Resource
win10v20210410
General
-
Target
GLC-2021-E025(1).xlsx
-
Size
1.2MB
-
MD5
0b88672aa208666b2a856b6637517d45
-
SHA1
6a255c999480b1dc260944d0aa10eebc11cdd994
-
SHA256
8e2417d7d83848d639c70725fc66a8d81f46bbbf936b1442fd649ff4f2885c54
-
SHA512
879607423bcb6d80837b34268d1e798f2d9f4394aa4c576954f8a05776b46faab8f7b657a7feaeea2b9ab8e34d41c78bbd9f208572dc20646c0ae9a6192d7e93
Malware Config
Extracted
xloader
2.3
http://www.allodrh.com/qmf6/
triloxi.com
blackstogether.com
jctradingllc.com
debbieandlesa.com
badseedsco.com
tjlovers.com
creativeresourcesconsulting.com
ksmjobs.net
reginajohas.net
site123web.com
pracliphardware.com
lunchtimewithtwilyght.com
remotereel.com
spartanmu.com
porter-booking-engine.com
slouberdounces.com
certificationsarchive.com
kat420nip.com
prancegoldholdingsjewels.com
xn--botiqunbotnico-4gb1q.com
merlinevcenter.com
roofingmiramar.com
dtforex.com
firstpersondev.com
minx.wine
calleymarie.com
ansiolev.com
planetentertainment.net
solisdq.info
trumpkilledthekurds.com
prospecthomeinspection.com
mygoogle-account.com
8666gp.com
an-food.net
hapticfootwear.com
joonoocos.com
thebinarybit.com
sweclocker.com
suemylp.com
zipyay.com
kavusikhodro.com
michellekirbynd.com
flatminis.com
bellabodyweightloss.com
allhomeoffices.com
groovysmoothieandjuice.com
m230.site
oralfitnessdc.com
captureq.com
pawoldiaspora.com
abogatec.com
moknowstexting.com
juliathechild.com
theherbx.com
applymyname.com
we-love.coffee
s9c7s5f0d99.mobi
algerie24news-dz.com
raditpramudya.com
maritimotapas.com
starfish.wtf
girliot.com
freshampere.info
viennavatreeservice.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-74-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/676-81-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1720 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 240 vbc.exe 1960 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1720 EQNEDT32.EXE 1720 EQNEDT32.EXE 1720 EQNEDT32.EXE 1720 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execolorcpl.exedescription pid process target process PID 240 set thread context of 1960 240 vbc.exe vbc.exe PID 1960 set thread context of 1212 1960 vbc.exe Explorer.EXE PID 676 set thread context of 1212 676 colorcpl.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
vbc.execolorcpl.exepid process 1960 vbc.exe 1960 vbc.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe 676 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.execolorcpl.exepid process 240 vbc.exe 1960 vbc.exe 1960 vbc.exe 1960 vbc.exe 676 colorcpl.exe 676 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vbc.exeExplorer.EXEcolorcpl.exedescription pid process Token: SeDebugPrivilege 1960 vbc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 676 colorcpl.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE 1840 EXCEL.EXE 1840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1720 wrote to memory of 240 1720 EQNEDT32.EXE vbc.exe PID 1720 wrote to memory of 240 1720 EQNEDT32.EXE vbc.exe PID 1720 wrote to memory of 240 1720 EQNEDT32.EXE vbc.exe PID 1720 wrote to memory of 240 1720 EQNEDT32.EXE vbc.exe PID 240 wrote to memory of 1960 240 vbc.exe vbc.exe PID 240 wrote to memory of 1960 240 vbc.exe vbc.exe PID 240 wrote to memory of 1960 240 vbc.exe vbc.exe PID 240 wrote to memory of 1960 240 vbc.exe vbc.exe PID 240 wrote to memory of 1960 240 vbc.exe vbc.exe PID 1212 wrote to memory of 676 1212 Explorer.EXE colorcpl.exe PID 1212 wrote to memory of 676 1212 Explorer.EXE colorcpl.exe PID 1212 wrote to memory of 676 1212 Explorer.EXE colorcpl.exe PID 1212 wrote to memory of 676 1212 Explorer.EXE colorcpl.exe PID 676 wrote to memory of 1036 676 colorcpl.exe cmd.exe PID 676 wrote to memory of 1036 676 colorcpl.exe cmd.exe PID 676 wrote to memory of 1036 676 colorcpl.exe cmd.exe PID 676 wrote to memory of 1036 676 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\GLC-2021-E025(1).xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
C:\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
\Users\Public\vbc.exeMD5
f0ed2e7cf6f9f1d1c50685e851a06412
SHA13d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA51223141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
-
memory/240-73-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/240-67-0x0000000000000000-mapping.dmp
-
memory/676-82-0x0000000000BC0000-0x0000000000EC3000-memory.dmpFilesize
3.0MB
-
memory/676-78-0x0000000000000000-mapping.dmp
-
memory/676-89-0x0000000000540000-0x00000000005CF000-memory.dmpFilesize
572KB
-
memory/676-81-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/676-80-0x0000000000F70000-0x0000000000F88000-memory.dmpFilesize
96KB
-
memory/1036-83-0x0000000000000000-mapping.dmp
-
memory/1212-90-0x0000000005040000-0x00000000050DE000-memory.dmpFilesize
632KB
-
memory/1212-77-0x00000000043D0000-0x0000000004488000-memory.dmpFilesize
736KB
-
memory/1720-62-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1840-86-0x0000000006000000-0x0000000006C4A000-memory.dmpFilesize
12.3MB
-
memory/1840-59-0x000000002FC31000-0x000000002FC34000-memory.dmpFilesize
12KB
-
memory/1840-84-0x0000000006000000-0x0000000006C4A000-memory.dmpFilesize
12.3MB
-
memory/1840-85-0x0000000006000000-0x0000000006C4A000-memory.dmpFilesize
12.3MB
-
memory/1840-60-0x0000000070E81000-0x0000000070E83000-memory.dmpFilesize
8KB
-
memory/1840-87-0x0000000006000000-0x0000000006C4A000-memory.dmpFilesize
12.3MB
-
memory/1840-88-0x0000000006000000-0x0000000006C4A000-memory.dmpFilesize
12.3MB
-
memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1840-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1960-76-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/1960-75-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1960-74-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1960-71-0x000000000041D030-mapping.dmp