Analysis
-
max time kernel
149s -
max time network
191s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-09-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
Hua Joo Success Industry.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Hua Joo Success Industry.xlsx
Resource
win10-en
General
-
Target
Hua Joo Success Industry.xlsx
-
Size
590KB
-
MD5
74fa450d0d5c2635b91a63fec6a6014e
-
SHA1
b9c4dde16c1882145f0cdf26400365f878c8608b
-
SHA256
c4cf66d4270ed0cd9203da8136221f9615b65b2e99154c349ca70edbb0b73218
-
SHA512
81779b4cb9a9d9b2deb7ca911092ce2361db9d599546ff2ffbe665f68e08c0b4347ff4265eeaba1a730fe78abe4e429dbb29734b97cc6c08560e96c10ca8130b
Malware Config
Extracted
xloader
2.5
euzn
http://www.heser.net/euzn/
235296tyc.com
gold12guide.art
baibuaherb.com
weberwines.tax
chezvitoria.com
aidenb.tech
pitchdeckservice.com
surgeryforfdf.xyz
workunvaccinated.com
hrtaro.com
yourotcs.com
sonimultispecialityclinic.com
consultantadvisors.com
pentesting-consulting.com
dantechs.digital
longshifa.online
taweilai.net
imyusuke.com
cashndashfinancial.com
fasiglimt.quest
jakital.com
graywolfdesign.com
pepeavatar.com
predixlogisticscourier.com
football-transfer-news.pro
herbalmedication.xyz
esd66.com
janesgalant.quest
abcrefreshments.com
chaoxy.com
rediscoveringyouhealing.com
mcrjadr5.xyz
n4sins.com
faithful-presence.com
013yu.xyz
isystemslanka.com
newbeautydk.com
ethiopia-info.com
hgaffiliates.net
anodynemedicalmassage.com
esohgroup.com
clinicamonicabarros.com
rafathecook.com
londonescort.xyz
dreamites.com
webtiyan.com
cnnautorepair.com
soposhshop.com
aarohaninsight2021.com
arceprojects.com
mecasso.store
mirai-energy.com
barwg.com
angeescollections-shop.com
xinlishiqiaoqiao.xyz
linuxsauce.net
dirbn.com
anandiaper.xyz
blackpanther.online
livinwoodbridgefarms.com
diepraxiskommunikation.com
radiosaptshahid.com
gofieldtest.com
minxtales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-79-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1992-80-0x000000000041D420-mapping.dmp xloader behavioral1/memory/1596-88-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 304 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1620 vbc.exe 1992 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 304 EQNEDT32.EXE 304 EQNEDT32.EXE 304 EQNEDT32.EXE 304 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exesvchost.exedescription pid process target process PID 1620 set thread context of 1992 1620 vbc.exe vbc.exe PID 1992 set thread context of 1208 1992 vbc.exe Explorer.EXE PID 1596 set thread context of 1208 1596 svchost.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Modifies registry class 9 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\DefaultIcon vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.gmkasm\ = "GMKAssembler.Project" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\Shell\open\command vbc.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\Shell\open\command\ = "\"C:\\Users\\Public\\vbc.exe\" \"%1\"" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\DefaultIcon\ = "C:\\Users\\Public\\vbc.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.gmkasm vbc.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\Shell vbc.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\GMKAssembler.Project\Shell\open vbc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 816 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.exesvchost.exepid process 1992 vbc.exe 1992 vbc.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe 1596 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exesvchost.exepid process 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 1596 svchost.exe 1596 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1992 vbc.exe Token: SeDebugPrivilege 1596 svchost.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 816 EXCEL.EXE 816 EXCEL.EXE 816 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEsvchost.exedescription pid process target process PID 304 wrote to memory of 1620 304 EQNEDT32.EXE vbc.exe PID 304 wrote to memory of 1620 304 EQNEDT32.EXE vbc.exe PID 304 wrote to memory of 1620 304 EQNEDT32.EXE vbc.exe PID 304 wrote to memory of 1620 304 EQNEDT32.EXE vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1620 wrote to memory of 1992 1620 vbc.exe vbc.exe PID 1208 wrote to memory of 1596 1208 Explorer.EXE svchost.exe PID 1208 wrote to memory of 1596 1208 Explorer.EXE svchost.exe PID 1208 wrote to memory of 1596 1208 Explorer.EXE svchost.exe PID 1208 wrote to memory of 1596 1208 Explorer.EXE svchost.exe PID 1596 wrote to memory of 1520 1596 svchost.exe cmd.exe PID 1596 wrote to memory of 1520 1596 svchost.exe cmd.exe PID 1596 wrote to memory of 1520 1596 svchost.exe cmd.exe PID 1596 wrote to memory of 1520 1596 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Hua Joo Success Industry.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
C:\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
C:\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
\Users\Public\vbc.exeMD5
6e1476a40e4f1b65294f5ff5df9f99d7
SHA1da3f2a6fb40d243ece92534253c79c2669bd4e69
SHA256a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
SHA5120bfabd3b94785ddc530ba7b76258382f1212587c50f89da273294e6c698792c4d9296bd323d3814ae559cda1fd3ce3339d9a8e0f168e5e714fc9f804b0ddfc0f
-
memory/304-62-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/816-75-0x0000000005F20000-0x0000000006B6A000-memory.dmpFilesize
12.3MB
-
memory/816-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/816-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/816-59-0x000000002FBE1000-0x000000002FBE4000-memory.dmpFilesize
12KB
-
memory/816-60-0x0000000070FB1000-0x0000000070FB3000-memory.dmpFilesize
8KB
-
memory/816-76-0x0000000005F20000-0x0000000006B6A000-memory.dmpFilesize
12.3MB
-
memory/816-74-0x0000000005F20000-0x0000000006B6A000-memory.dmpFilesize
12.3MB
-
memory/1208-84-0x00000000061D0000-0x0000000006490000-memory.dmpFilesize
2.8MB
-
memory/1208-91-0x00000000061D0000-0x0000000006490000-memory.dmpFilesize
2.8MB
-
memory/1520-86-0x0000000000000000-mapping.dmp
-
memory/1596-85-0x0000000000000000-mapping.dmp
-
memory/1596-90-0x00000000004B0000-0x0000000000540000-memory.dmpFilesize
576KB
-
memory/1596-89-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1596-87-0x0000000000FA0000-0x0000000000FA8000-memory.dmpFilesize
32KB
-
memory/1596-88-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1620-70-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/1620-73-0x0000000000860000-0x000000000087D000-memory.dmpFilesize
116KB
-
memory/1620-72-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/1620-78-0x0000000000AD0000-0x0000000000B07000-memory.dmpFilesize
220KB
-
memory/1620-77-0x0000000004DF0000-0x0000000004E57000-memory.dmpFilesize
412KB
-
memory/1620-67-0x0000000000000000-mapping.dmp
-
memory/1992-83-0x0000000000280000-0x0000000000291000-memory.dmpFilesize
68KB
-
memory/1992-82-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1992-80-0x000000000041D420-mapping.dmp
-
memory/1992-79-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB