Analysis
-
max time kernel
100s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:05
Static task
static1
Behavioral task
behavioral1
Sample
LIST OF ITEMS 2021 project.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
LIST OF ITEMS 2021 project.xlsx
Resource
win10-en
General
-
Target
LIST OF ITEMS 2021 project.xlsx
-
Size
590KB
-
MD5
4a1d13469a6c817242e8b567bf34ab9a
-
SHA1
a0d54f6c1205defad5f31cadf3393880e7c4c862
-
SHA256
65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
-
SHA512
a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 668 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1220 vbc.exe -
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
vbc.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe vbc.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 668 EQNEDT32.EXE 668 EQNEDT32.EXE 1528 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
vbc.exepid process 1220 vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1220 set thread context of 1528 1220 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1840 EXCEL.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vbc.exepid process 1220 vbc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1840 EXCEL.EXE 1840 EXCEL.EXE 1840 EXCEL.EXE 1220 vbc.exe 1840 EXCEL.EXE 1840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 668 wrote to memory of 1220 668 EQNEDT32.EXE vbc.exe PID 668 wrote to memory of 1220 668 EQNEDT32.EXE vbc.exe PID 668 wrote to memory of 1220 668 EQNEDT32.EXE vbc.exe PID 668 wrote to memory of 1220 668 EQNEDT32.EXE vbc.exe PID 1220 wrote to memory of 1528 1220 vbc.exe vbc.exe PID 1220 wrote to memory of 1528 1220 vbc.exe vbc.exe PID 1220 wrote to memory of 1528 1220 vbc.exe vbc.exe PID 1220 wrote to memory of 1528 1220 vbc.exe vbc.exe PID 1220 wrote to memory of 1528 1220 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\LIST OF ITEMS 2021 project.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
memory/668-63-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1220-66-0x0000000000000000-mapping.dmp
-
memory/1220-80-0x00000000777B0000-0x0000000077959000-memory.dmpFilesize
1.7MB
-
memory/1220-70-0x0000000000370000-0x000000000037F000-memory.dmpFilesize
60KB
-
memory/1220-82-0x00000000779A0000-0x0000000077A76000-memory.dmpFilesize
856KB
-
memory/1220-81-0x0000000077990000-0x0000000077B10000-memory.dmpFilesize
1.5MB
-
memory/1528-77-0x00000000004017AC-mapping.dmp
-
memory/1528-79-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1528-83-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1840-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1840-60-0x000000002F0A1000-0x000000002F0A4000-memory.dmpFilesize
12KB
-
memory/1840-61-0x0000000071831000-0x0000000071833000-memory.dmpFilesize
8KB
-
memory/1840-71-0x0000000005F50000-0x0000000006B9A000-memory.dmpFilesize
12.3MB
-
memory/1840-73-0x0000000005F50000-0x0000000006B9A000-memory.dmpFilesize
12.3MB
-
memory/1840-72-0x0000000005F50000-0x0000000006B9A000-memory.dmpFilesize
12.3MB
-
memory/1840-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB