Analysis
-
max time kernel
150s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 20:28
Static task
static1
Behavioral task
behavioral1
Sample
PO 446593.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO 446593.xlsx
Resource
win10v20210410
General
-
Target
PO 446593.xlsx
-
Size
595KB
-
MD5
1014d65c46ff68235ce581fd93f9336d
-
SHA1
9ee84e43d1820c322de569124e60ee585ba9604c
-
SHA256
7df06bd9c7d806c3a7b1bddc2b78c6052070b3445cad6d2f9d3f0a21b844075c
-
SHA512
72b5023e3151018cd8fa1a7081ccc55e23e84809d9c116c45077efe12d0e8aef7cfe0af6ed7280556a99d83e6247c3948e636f13509cc4fd4f3396e8d0403484
Malware Config
Extracted
xloader
2.3
utrf
http://www.tijprintersolution.com/utrf/
serveyournation.com
angelaepedro2021.com
spyrodinero.com
voltaicmassage.com
companystsore.com
eulicense.com
politicianwatchlist.com
gol-investissement.com
novasolutions.website
fouralarmtechnology.com
nightloop.online
saycarrot.com
rdemnry.icu
silverspoonfrenchies.com
safetyswimwear.online
dabanse.com
oldhamvw.com
tvactivations.online
ntra120.com
gallagherandburton.com
zengheqiye.com
plannyo.com
icardgold.com
unitbasefilmrentals.com
webmailall-inkl.info
centralcoastbagels.com
poptop.ink
thetrapanigroup.com
amazonhaloband.info
yilmazsoft.com
meetiquell.com
bombshellbycj.com
konchokdolma.com
znhmyazg4dfnc.net
hauntway.com
heb-jiuxin.com
topcloudeast.com
zerosave.com
renovation-toiture-var.com
lakegreenwoodfishingguide.com
villavicencioenterprise.com
prazer-extremo.com
avedonalchemy.gallery
africaoutings.com
naturemistinternational.com
merchwatcher.com
tecnoloogeek.com
beerstars.club
theharvestonseniorliving.com
hoichoishops.com
prefabhomepackages.com
365webinaars.com
yildizyapiteknik.com
premiercateringint.com
alissapagelsminor.com
slayypoint.online
astoriahotelbarcelona.com
schwarze-flotte.com
thenearshoppe.com
godspeedcheckout.com
sunnyviewproperties.com
masterpiecefoods.com
dejendesta.com
onlinefacials.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-77-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1392-78-0x000000000041D150-mapping.dmp xloader behavioral1/memory/984-88-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 584 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 276 vbc.exe 1392 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 584 EQNEDT32.EXE 584 EQNEDT32.EXE 584 EQNEDT32.EXE 584 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeexplorer.exedescription pid process target process PID 276 set thread context of 1392 276 vbc.exe vbc.exe PID 1392 set thread context of 1220 1392 vbc.exe Explorer.EXE PID 984 set thread context of 1220 984 explorer.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2016 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
vbc.exeexplorer.exepid process 1392 vbc.exe 1392 vbc.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeexplorer.exepid process 1392 vbc.exe 1392 vbc.exe 1392 vbc.exe 984 explorer.exe 984 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1392 vbc.exe Token: SeDebugPrivilege 984 explorer.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2016 EXCEL.EXE 2016 EXCEL.EXE 2016 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEexplorer.exedescription pid process target process PID 584 wrote to memory of 276 584 EQNEDT32.EXE vbc.exe PID 584 wrote to memory of 276 584 EQNEDT32.EXE vbc.exe PID 584 wrote to memory of 276 584 EQNEDT32.EXE vbc.exe PID 584 wrote to memory of 276 584 EQNEDT32.EXE vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 276 wrote to memory of 1392 276 vbc.exe vbc.exe PID 1220 wrote to memory of 984 1220 Explorer.EXE explorer.exe PID 1220 wrote to memory of 984 1220 Explorer.EXE explorer.exe PID 1220 wrote to memory of 984 1220 Explorer.EXE explorer.exe PID 1220 wrote to memory of 984 1220 Explorer.EXE explorer.exe PID 984 wrote to memory of 1784 984 explorer.exe cmd.exe PID 984 wrote to memory of 1784 984 explorer.exe cmd.exe PID 984 wrote to memory of 1784 984 explorer.exe cmd.exe PID 984 wrote to memory of 1784 984 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO 446593.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
C:\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
C:\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
\Users\Public\vbc.exeMD5
04179ebbab706ca5b7d7eda0becd3abc
SHA1db984084a4cb93805c8d15571430b0561495fa98
SHA256abaca5741431ff5f4d04ac153e6d06514d1a7d92154d9ae994d253297f582930
SHA51275a2ecf6e07d565ca15d35740dd672bd1287436fbccad93848bd6b381ca21e22f5ce5c4e75e8f1392c11121cecea33670c42519b39cb0c8e80adf3c606f9366b
-
memory/276-75-0x0000000004590000-0x00000000045F6000-memory.dmpFilesize
408KB
-
memory/276-76-0x0000000000BE0000-0x0000000000C11000-memory.dmpFilesize
196KB
-
memory/276-68-0x0000000000000000-mapping.dmp
-
memory/276-71-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/276-73-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/276-74-0x0000000000650000-0x0000000000666000-memory.dmpFilesize
88KB
-
memory/584-63-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/984-85-0x000000006C391000-0x000000006C393000-memory.dmpFilesize
8KB
-
memory/984-83-0x0000000000000000-mapping.dmp
-
memory/984-90-0x0000000002220000-0x00000000022AF000-memory.dmpFilesize
572KB
-
memory/984-89-0x00000000023B0000-0x00000000026B3000-memory.dmpFilesize
3.0MB
-
memory/984-88-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/984-87-0x0000000000B90000-0x0000000000E11000-memory.dmpFilesize
2.5MB
-
memory/1220-91-0x0000000003B80000-0x0000000003C64000-memory.dmpFilesize
912KB
-
memory/1220-82-0x0000000006F60000-0x000000000709D000-memory.dmpFilesize
1.2MB
-
memory/1392-81-0x00000000000B0000-0x00000000000C0000-memory.dmpFilesize
64KB
-
memory/1392-80-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/1392-78-0x000000000041D150-mapping.dmp
-
memory/1392-77-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1784-86-0x0000000000000000-mapping.dmp
-
memory/2016-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2016-60-0x000000002F6F1000-0x000000002F6F4000-memory.dmpFilesize
12KB
-
memory/2016-61-0x0000000070F81000-0x0000000070F83000-memory.dmpFilesize
8KB
-
memory/2016-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB