04fe8deb7fcd8197c15970a7bd846c6e12c9108aad2464570fd4342b64190e41

Analysis

max time kernel
100s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice.xlsx
Size

1.2MB
MD5

5b73fe85493ab5de9f1fca6386854f66
SHA1

c4ab5b4c915cba9eda255be8a88702aad1aeec81
SHA256

04fe8deb7fcd8197c15970a7bd846c6e12c9108aad2464570fd4342b64190e41
SHA512

34c02b023f17d9c739e12f6c0ee1c33633f528a87c5ede4e9a65e6ab9487d0a4af3d5f1a4ba5366ef2282423832d150cb31547466d08f1f6d869b3627fce33f3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 656 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

532 vbc.exe
944 vbc.exe
1956 vbc.exe
792 vbc.exe
1080 vbc.exe
552 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

656 EQNEDT32.EXE
656 EQNEDT32.EXE
656 EQNEDT32.EXE
656 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

656 EQNEDT32.EXE

flow	pid	process
5	656	EQNEDT32.EXE

pid	process
532	vbc.exe
944	vbc.exe
1956	vbc.exe
792	vbc.exe
1080	vbc.exe
552	vbc.exe

pid	process
656	EQNEDT32.EXE
656	EQNEDT32.EXE
656	EQNEDT32.EXE
656	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
656	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1644 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
532 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 532 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1644 EXCEL.EXE
1644 EXCEL.EXE
1644 EXCEL.EXE

pid	process
1644	EXCEL.EXE

pid	process
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe
532	vbc.exe

description	pid	process
Token: SeDebugPrivilege	532	vbc.exe

pid	process
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 656 wrote to memory of 532	656	EQNEDT32.EXE	vbc.exe
PID 656 wrote to memory of 532	656	EQNEDT32.EXE	vbc.exe
PID 656 wrote to memory of 532	656	EQNEDT32.EXE	vbc.exe
PID 656 wrote to memory of 532	656	EQNEDT32.EXE	vbc.exe
PID 532 wrote to memory of 944	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 944	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 944	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 944	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1956	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1956	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1956	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1956	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 792	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 792	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 792	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 792	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1080	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1080	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1080	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 1080	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 552	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 552	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 552	532	vbc.exe	vbc.exe
PID 532 wrote to memory of 552	532	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:944

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1956

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:792

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1080

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
C:\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
\Users\Public\vbc.exe
MD5
c700731279dc3294e76a17a6f0269044

SHA1
354388e78fd21b7858772121ed7e24b6ac83b426

SHA256
4009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3

SHA512
7cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1

Download Submit
memory/532-73-0x0000000004930000-0x00000000049B4000-memory.dmp

Filesize
528KB

Download
memory/532-68-0x0000000000000000-mapping.dmp

Download
memory/532-74-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/532-75-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/532-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/532-80-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/532-79-0x000000000A430000-0x000000000A4B8000-memory.dmp

Filesize
544KB

Download
memory/656-63-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1644-78-0x0000000006030000-0x0000000006C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-77-0x0000000006030000-0x0000000006C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-76-0x0000000006030000-0x0000000006C7A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-60-0x000000002F561000-0x000000002F564000-memory.dmp

Filesize
12KB

Download
memory/1644-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-61-0x0000000070D71000-0x0000000070D73000-memory.dmp

Filesize
8KB

Download
memory/1644-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download