Analysis
-
max time kernel
148s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-08-2021 18:16
Static task
static1
Behavioral task
behavioral1
Sample
PI_55034455.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PI_55034455.xlsx
Resource
win10v20210408
General
-
Target
PI_55034455.xlsx
-
Size
1.3MB
-
MD5
b677902aa5e2126451dc6258e35d99f5
-
SHA1
2325d8d4c12de4fcd6b29c152cf4017983730198
-
SHA256
4b2e04f07ddbbc25db9260eac2de0d8ce45488b3a2c80de9c384b1abb014bbbd
-
SHA512
e7b2fb8dad97742f85aa935bcde585d1876c79600804f969c8667c2011250b194fb3dc2b505d444a8210590182b2213ace2c09e5fed7f9e370d955796f0fd8d8
Malware Config
Extracted
xloader
2.3
ecuu
http://www.polaritelibrairie.com/ecuu/
buoy8boats.com
tomrings.com
o-distribs.com
majesticgroupinc.com
tehridam.com
yzwjtoys.com
castro-online.run
aquarius-twins.com
jamesrrossfineart.com
pavarasupatthonkol.com
rivermarketdentistry.com
gyiblrjd.icu
redcountrypodcast.com
youngbrotherspharmacyga.com
betsysobiech.com
neocleanpro.com
ingpatrimoine.com
mustangsallytransportation.com
jsvfcxzn.com
krsfpjuoekcd.info
cricutcutfiles.club
fjucurta.com
soberrituals.com
mercamoderna.com
empirerack.com
poorwhitetrashlivesmatter.net
the-boardroom-usa.com
boldgroupghana.com
stathotshots.com
workabhaile.com
drgigadvisors.com
tfqvslhlh.club
meo6.com
myreti.com
tasteofourneighborhood.com
manufacturedinjapan.com
listenstech.com
jdcloud-neucampus.com
westgateoptometry.store
sourcefirstconsulting.com
xmasmobitvbuy.com
blackhillsfarmtn.com
georgiaforless.com
enovexcorp.com
nxtelligence.com
emotionalgangster.com
chainsawsparts.com
dplqyz.com
lossaboresdemama.com
805thaifood.com
safeandsoundyachtservices.com
grandparentsandkids.com
catalystdentalallies.com
keplersark.com
desrefuses.com
comerciolimited.com
cotonslife.com
pegasusf.xyz
rocketmortgagedeceit.com
mypartydelivered.com
gvassummit2020.com
thefamilybubble.com
lgjccz.com
donnaquerns.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-76-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1740-85-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral1/memory/1360-91-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\0LPXFRO8_VTP = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" wininit.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 268 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 540 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 268 EQNEDT32.EXE 268 EQNEDT32.EXE 268 EQNEDT32.EXE 268 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exewininit.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zpxtgza = "C:\\Users\\Public\\Libraries\\azgtxpZ.url" vbc.exe Key created \Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wininit.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exewininit.exedescription pid process target process PID 1740 set thread context of 1220 1740 ieinstal.exe Explorer.EXE PID 1360 set thread context of 1220 1360 wininit.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1140 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ieinstal.exewininit.exepid process 1740 ieinstal.exe 1740 ieinstal.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe 1360 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exewininit.exepid process 1740 ieinstal.exe 1740 ieinstal.exe 1740 ieinstal.exe 1360 wininit.exe 1360 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ieinstal.exewininit.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1740 ieinstal.exe Token: SeDebugPrivilege 1360 wininit.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1140 EXCEL.EXE 1140 EXCEL.EXE 1140 EXCEL.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
EQNEDT32.EXEvbc.execmd.execmd.exeExplorer.EXEcmd.exedescription pid process target process PID 268 wrote to memory of 540 268 EQNEDT32.EXE vbc.exe PID 268 wrote to memory of 540 268 EQNEDT32.EXE vbc.exe PID 268 wrote to memory of 540 268 EQNEDT32.EXE vbc.exe PID 268 wrote to memory of 540 268 EQNEDT32.EXE vbc.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 1740 540 vbc.exe ieinstal.exe PID 540 wrote to memory of 552 540 vbc.exe cmd.exe PID 540 wrote to memory of 552 540 vbc.exe cmd.exe PID 540 wrote to memory of 552 540 vbc.exe cmd.exe PID 540 wrote to memory of 552 540 vbc.exe cmd.exe PID 552 wrote to memory of 1708 552 cmd.exe cmd.exe PID 552 wrote to memory of 1708 552 cmd.exe cmd.exe PID 552 wrote to memory of 1708 552 cmd.exe cmd.exe PID 552 wrote to memory of 1708 552 cmd.exe cmd.exe PID 1708 wrote to memory of 876 1708 cmd.exe reg.exe PID 1708 wrote to memory of 876 1708 cmd.exe reg.exe PID 1708 wrote to memory of 876 1708 cmd.exe reg.exe PID 1708 wrote to memory of 876 1708 cmd.exe reg.exe PID 1708 wrote to memory of 888 1708 cmd.exe reg.exe PID 1708 wrote to memory of 888 1708 cmd.exe reg.exe PID 1708 wrote to memory of 888 1708 cmd.exe reg.exe PID 1708 wrote to memory of 888 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1060 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1060 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1060 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1060 1708 cmd.exe schtasks.exe PID 1220 wrote to memory of 1360 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 1360 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 1360 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 1360 1220 Explorer.EXE wininit.exe PID 540 wrote to memory of 1216 540 vbc.exe cmd.exe PID 540 wrote to memory of 1216 540 vbc.exe cmd.exe PID 540 wrote to memory of 1216 540 vbc.exe cmd.exe PID 540 wrote to memory of 1216 540 vbc.exe cmd.exe PID 1216 wrote to memory of 1516 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1516 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1516 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1516 1216 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PI_55034455.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
C:\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
C:\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
\Users\Public\vbc.exeMD5
47fa27443cb1abe987ca9f653754b6d0
SHA1886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
SHA256a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
SHA5127dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
-
memory/268-62-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/540-67-0x0000000000000000-mapping.dmp
-
memory/540-71-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/540-73-0x0000000000260000-0x000000000027B000-memory.dmpFilesize
108KB
-
memory/552-77-0x0000000000000000-mapping.dmp
-
memory/876-81-0x0000000000000000-mapping.dmp
-
memory/888-82-0x0000000000000000-mapping.dmp
-
memory/1060-83-0x0000000000000000-mapping.dmp
-
memory/1140-98-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1140-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1140-59-0x000000002F611000-0x000000002F614000-memory.dmpFilesize
12KB
-
memory/1140-60-0x0000000070F91000-0x0000000070F93000-memory.dmpFilesize
8KB
-
memory/1216-94-0x0000000000000000-mapping.dmp
-
memory/1220-88-0x0000000004FA0000-0x0000000005098000-memory.dmpFilesize
992KB
-
memory/1220-97-0x0000000006AA0000-0x0000000006BCC000-memory.dmpFilesize
1.2MB
-
memory/1360-92-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/1360-89-0x0000000000000000-mapping.dmp
-
memory/1360-90-0x00000000004A0000-0x00000000004BA000-memory.dmpFilesize
104KB
-
memory/1360-91-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1360-93-0x00000000004C0000-0x000000000054F000-memory.dmpFilesize
572KB
-
memory/1516-96-0x0000000000000000-mapping.dmp
-
memory/1708-79-0x0000000000000000-mapping.dmp
-
memory/1740-76-0x0000000000000000-mapping.dmp
-
memory/1740-86-0x00000000021C0000-0x00000000024C3000-memory.dmpFilesize
3.0MB
-
memory/1740-84-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1740-85-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/1740-87-0x0000000000200000-0x0000000000210000-memory.dmpFilesize
64KB