Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en -
submitted
14-09-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
Po2142021.xlsx
Resource
win7-en
Behavioral task
behavioral2
Sample
Po2142021.xlsx
Resource
win10-en
General
-
Target
Po2142021.xlsx
-
Size
587KB
-
MD5
76ea81747e2e9370b97e4d47ddfbabdd
-
SHA1
169fcccd26f30b2bdc6374efe085d5a45812f194
-
SHA256
100738b518fd653a4244f947f6793b69896cb4ef75876588c758e1d521c535c1
-
SHA512
5b8eb3eb4c6af0cf3035e7a8af940c0b1239058a4448f937d7494eb8107b6b069f4e14692aa25de21a5b2478b9d9ce0e5771c8d3bc2389a1edce428002caf9d5
Malware Config
Extracted
xloader
2.3
b6a4
http://www.helpmovingandstorage.com/b6a4/
gr2future.com
asteroid.finance
skoba-plast.com
rnerfrfw5z3ki.net
thesmartroadtoretirement.com
avisdrummondhomes.com
banban365.net
profesyonelkampcadiri.net
royalloanhs.com
yulujy.com
xn--naqejahan-n3b.com
msalee.net
dollyvee.com
albertagamehawkersclub.com
cbspecialists.com
findingforeverrealty.com
mrtireshop.com
wadamasanari.com
growtechinfo.com
qipai039.com
kdpwelness.com
heonyearthoo.com
comprarmiaspiradora.com
e38.site
aryadesigningstudio.com
wildwestkelly.com
mengzhanxy.com
kedaiherbalalami.com
mygaybookcase.com
meetheveganz.com
42shenmao.com
siimezhebi.com
id-ers.com
cabalzi.com
hellahealthy.life
mastermind-kc.com
erinkiauq.icu
shinebrightjournal.com
adventuresofdatinginnyc.com
kestuf.net
khadarelhodge.com
maximumsale.com
rishitaprabhu.com
dinhvitraitim.com
dalvascleaningservice.com
norfolkveggiebox.com
findsmartvestorpro.com
shuangyashanpower.com
shukujitsu.net
naughty0milf.today
jdjseshop.com
breathlessandinlove.com
abrosnm3.com
candoyuran.com
recargasasec.com
puffycannabis.com
shopnewmills.com
blue-sky-music.com
besthypee.com
idahocommunitynewsnetwork.com
darenscape.com
gamificationbiz.com
avosmains.net
starlangue.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1608-77-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1728 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1128 vbc.exe 1992 vbc.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpid process 1728 EQNEDT32.EXE 1728 EQNEDT32.EXE 1728 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exemsiexec.exedescription pid process target process PID 1128 set thread context of 1992 1128 vbc.exe vbc.exe PID 1992 set thread context of 1280 1992 vbc.exe Explorer.EXE PID 1608 set thread context of 1280 1608 msiexec.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2036 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exemsiexec.exepid process 1992 vbc.exe 1992 vbc.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe 1608 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.exemsiexec.exepid process 1128 vbc.exe 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 1608 msiexec.exe 1608 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vbc.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1992 vbc.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeDebugPrivilege 1608 msiexec.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeShutdownPrivilege 1280 Explorer.EXE -
Suspicious use of FindShellTrayWindow 49 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 49 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2036 EXCEL.EXE 2036 EXCEL.EXE 2036 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEdescription pid process target process PID 1728 wrote to memory of 1128 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1128 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1128 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1128 1728 EQNEDT32.EXE vbc.exe PID 1128 wrote to memory of 1992 1128 vbc.exe vbc.exe PID 1128 wrote to memory of 1992 1128 vbc.exe vbc.exe PID 1128 wrote to memory of 1992 1128 vbc.exe vbc.exe PID 1128 wrote to memory of 1992 1128 vbc.exe vbc.exe PID 1128 wrote to memory of 1992 1128 vbc.exe vbc.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 1608 1280 Explorer.EXE msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Po2142021.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
C:\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
C:\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
\Users\Public\vbc.exeMD5
866d1aeb69daac5e6e4dda938edf8d26
SHA1184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee
-
memory/1128-63-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1128-59-0x0000000000000000-mapping.dmp
-
memory/1280-67-0x00000000049F0000-0x0000000004B26000-memory.dmpFilesize
1.2MB
-
memory/1280-82-0x000007FEF5F80000-0x000007FEF60C3000-memory.dmpFilesize
1.3MB
-
memory/1280-80-0x0000000006B60000-0x0000000006C7B000-memory.dmpFilesize
1.1MB
-
memory/1280-83-0x000007FF05EB0000-0x000007FF05EBA000-memory.dmpFilesize
40KB
-
memory/1608-79-0x0000000000B20000-0x0000000000BAF000-memory.dmpFilesize
572KB
-
memory/1608-77-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1608-78-0x00000000022E0000-0x00000000025E3000-memory.dmpFilesize
3.0MB
-
memory/1608-76-0x0000000000BF0000-0x0000000000C04000-memory.dmpFilesize
80KB
-
memory/1608-73-0x0000000000000000-mapping.dmp
-
memory/1728-55-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1992-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-65-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1992-66-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1992-61-0x000000000041D0B0-mapping.dmp
-
memory/2036-52-0x000000002F141000-0x000000002F144000-memory.dmpFilesize
12KB
-
memory/2036-53-0x0000000070E41000-0x0000000070E43000-memory.dmpFilesize
8KB
-
memory/2036-71-0x0000000006120000-0x0000000006D6A000-memory.dmpFilesize
12.3MB
-
memory/2036-72-0x0000000006120000-0x0000000006D6A000-memory.dmpFilesize
12.3MB
-
memory/2036-70-0x0000000006120000-0x0000000006D6A000-memory.dmpFilesize
12.3MB
-
memory/2036-69-0x0000000006120000-0x0000000006D6A000-memory.dmpFilesize
12.3MB
-
memory/2036-81-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2036-68-0x0000000006120000-0x0000000006D6A000-memory.dmpFilesize
12.3MB
-
memory/2036-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB