Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 14:43
Static task
static1
Behavioral task
behavioral1
Sample
HANYUAN PROJECT SDN BHD _PRJ S2505.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
HANYUAN PROJECT SDN BHD _PRJ S2505.xlsx
Resource
win10v20210410
General
-
Target
HANYUAN PROJECT SDN BHD _PRJ S2505.xlsx
-
Size
1.2MB
-
MD5
7c5f2178cbddc544639af018ee27181b
-
SHA1
b587c5fe244c025ea92e8ec1e112da5a1d151084
-
SHA256
7cb3ffa44654db626e5eaec3cf679ac8c4c033db7103fff7da4e8ccb4aacf797
-
SHA512
69174a968a7920d5e258ef17b0f6a72000b9d074063a306e5642e1e3c05893e676382b3a6539f9e05151c6ce1718de19ab05580b03414f513fe90994570c1a84
Malware Config
Extracted
formbook
4.1
http://www.surreal-myzrael.com/z7a/
dotstories.xyz
egd-dz.com
caringhealthrecruit.com
transportdupont.com
teh-support.pro
catfad.com
pinewoodlakepool.net
pendekar-qq.info
duplicuty-garden.com
librtshop.com
stepmed.life
seatplusplus.com
bluzelle.money
weflew.xyz
bolaci.com
arrebatamentonews.com
sukesanblog.com
shadow-campaign.com
anpfiff.net
taste-of-poland.com
fortniting.com
hotels-congres.com
seven10sixty.com
sarahbeanfalo.net
qoslkkhqtg.net
balancewithdrjody.com
jinjulicm.com
vlccfixtures.com
formsautomationsolution.com
ssrinfo.com
viidegrees.com
blueskysites.com
asamedicalsystems.com
ukl.ink
energymanagerpro.com
teammcniffrealestate.com
ava.education
ericsmobileworkshop.com
top10shadetrees.com
renovialab.com
motorworld.rentals
delossantos4nc.com
kaisuo69.com
flyfishingdaily.com
easyhomeone.com
empeflix.com
firstfamilyofwdw.life
solevux.com
maycheer.store
unleashedword.com
supremenursery.com
stagenego.com
corona-massnahmengesetzii.info
adultwebmas.com
jackcockburn.com
ibalawyer.com
freeliving.xyz
cybersecuredad.com
virtualipassistant.com
800seyana.com
directlinestream.com
proprepflooring.com
kaustubhkokate.com
hoslergroup.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/932-77-0x00000000002C0000-0x00000000002CB000-memory.dmp CustAttr -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/760-81-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/760-82-0x000000000041EB30-mapping.dmp formbook behavioral1/memory/564-90-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 616 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 932 vbc.exe 524 vbc.exe 760 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 616 EQNEDT32.EXE 616 EQNEDT32.EXE 616 EQNEDT32.EXE 616 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process target process PID 932 set thread context of 760 932 vbc.exe vbc.exe PID 760 set thread context of 1268 760 vbc.exe Explorer.EXE PID 564 set thread context of 1268 564 wuapp.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
vbc.exevbc.exewuapp.exepid process 932 vbc.exe 932 vbc.exe 760 vbc.exe 760 vbc.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe 564 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewuapp.exepid process 760 vbc.exe 760 vbc.exe 760 vbc.exe 564 wuapp.exe 564 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vbc.exevbc.exewuapp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 932 vbc.exe Token: SeDebugPrivilege 760 vbc.exe Token: SeDebugPrivilege 564 wuapp.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwuapp.exedescription pid process target process PID 616 wrote to memory of 932 616 EQNEDT32.EXE vbc.exe PID 616 wrote to memory of 932 616 EQNEDT32.EXE vbc.exe PID 616 wrote to memory of 932 616 EQNEDT32.EXE vbc.exe PID 616 wrote to memory of 932 616 EQNEDT32.EXE vbc.exe PID 932 wrote to memory of 524 932 vbc.exe vbc.exe PID 932 wrote to memory of 524 932 vbc.exe vbc.exe PID 932 wrote to memory of 524 932 vbc.exe vbc.exe PID 932 wrote to memory of 524 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 932 wrote to memory of 760 932 vbc.exe vbc.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 1268 wrote to memory of 564 1268 Explorer.EXE wuapp.exe PID 564 wrote to memory of 368 564 wuapp.exe cmd.exe PID 564 wrote to memory of 368 564 wuapp.exe cmd.exe PID 564 wrote to memory of 368 564 wuapp.exe cmd.exe PID 564 wrote to memory of 368 564 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\HANYUAN PROJECT SDN BHD _PRJ S2505.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
C:\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
C:\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
C:\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
\Users\Public\vbc.exeMD5
56784137661c7e02c6c0e36b8fd217de
SHA15b5d6c51607a99af40889379e369f8ecb98f95b8
SHA2567d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6
SHA512fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e
-
memory/368-88-0x0000000000000000-mapping.dmp
-
memory/564-92-0x0000000000A20000-0x0000000000AB3000-memory.dmpFilesize
588KB
-
memory/564-89-0x0000000000F10000-0x0000000000F1B000-memory.dmpFilesize
44KB
-
memory/564-87-0x0000000000000000-mapping.dmp
-
memory/564-90-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/564-91-0x0000000000BA0000-0x0000000000EA3000-memory.dmpFilesize
3.0MB
-
memory/616-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/760-82-0x000000000041EB30-mapping.dmp
-
memory/760-81-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/760-85-0x00000000004A0000-0x00000000004B4000-memory.dmpFilesize
80KB
-
memory/760-84-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/784-74-0x0000000006060000-0x0000000006CAA000-memory.dmpFilesize
12.3MB
-
memory/784-76-0x0000000006060000-0x0000000006CAA000-memory.dmpFilesize
12.3MB
-
memory/784-75-0x0000000006060000-0x0000000006CAA000-memory.dmpFilesize
12.3MB
-
memory/784-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/784-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/784-60-0x000000002F991000-0x000000002F994000-memory.dmpFilesize
12KB
-
memory/784-61-0x0000000071091000-0x0000000071093000-memory.dmpFilesize
8KB
-
memory/932-68-0x0000000000000000-mapping.dmp
-
memory/932-79-0x0000000000D50000-0x0000000000D85000-memory.dmpFilesize
212KB
-
memory/932-78-0x0000000005100000-0x000000000517A000-memory.dmpFilesize
488KB
-
memory/932-77-0x00000000002C0000-0x00000000002CB000-memory.dmpFilesize
44KB
-
memory/932-73-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/932-71-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/1268-86-0x0000000006C20000-0x0000000006DAD000-memory.dmpFilesize
1.6MB
-
memory/1268-94-0x0000000006160000-0x0000000006261000-memory.dmpFilesize
1.0MB