Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-09-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
SALES CONTRACT 914 VIPA ORDER 213581.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
SALES CONTRACT 914 VIPA ORDER 213581.xlsx
Resource
win10-en-20210920
General
-
Target
SALES CONTRACT 914 VIPA ORDER 213581.xlsx
-
Size
587KB
-
MD5
57d15b392c41d1fef88631aa16d1717f
-
SHA1
19edf447fb1f102d85f22df4bdc13f8b5a3504bc
-
SHA256
16b2ff1b7878c49d974b08f7a91669a472c4bfacbfbf486209c6cefe2c117302
-
SHA512
6eba268985edf22d1cd0f6e9f905fc6b1896009fed103b221b100447a6c8d85c8d5316f22a333be61594361bf71c3b411ae30f588e933bb73cc32f745519147d
Malware Config
Extracted
xloader
2.5
9gdg
http://www.dechocolate.online/9gdg/
cao-catos.ca
humanityumbrella.com
heatherflintford.com
paddyjulian.com
venturedart.com
pimpyoursmile.com
shellbacklabs.com
acesteeisupply.com
socotrajeweltours.com
aykutozden.com
corncobmeal.com
lesbiansforever.com
picknock.com
pawspetreiki.com
waikikidesignco.com
lelittnpasumo4.xyz
billing-updating.info
barangdapo.com
gatorfirerescue.com
jmovt.com
yozotnpasumo4.xyz
theindiandreams.com
javfish.com
algorham.photography
eurocustompainting.com
commentcard.club
probinns.com
yourlenderjake.net
bestofmdi.guide
miniperfumeria.com
shanxishuangcheng.com
viviantle.com
metaverseliveshopping.com
xn--vckzfv91k.com
garygoodtime.com
meysaninsaat.com
vietnamagritourism.online
greenpillers.net
hughhegartyhedgecutting.com
clarkdn.com
b148t1rfm01qvtbnvgc5418.com
trump-911-memorial.com
seekr.tech
amarettoliqueur.info
planext4u.com
dzairfoot24.com
freshstartdaycarecenterinc.com
redwoodwomen.com
reallyfuntastic.com
cc-expert.com
vaccineexemption.net
goforgreentech.com
800maintenance.services
xn--zimmerei-lking-psb.info
football-latest.mobi
livenetsex.com
christinamossoriginals.com
zebraadz.com
targonia.com
pampashub.com
pallavitatelier.com
aboveallsupplies.com
hyderabadgroceries.com
starpluscommercial.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-68-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1924-80-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1544 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1176 vbc.exe 1100 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1544 EQNEDT32.EXE 1544 EQNEDT32.EXE 1544 EQNEDT32.EXE 1544 EQNEDT32.EXE 1176 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmmon32.exedescription pid process target process PID 1176 set thread context of 1100 1176 vbc.exe vbc.exe PID 1100 set thread context of 1408 1100 vbc.exe Explorer.EXE PID 1924 set thread context of 1408 1924 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 14 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.execmmon32.exepid process 1100 vbc.exe 1100 vbc.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe 1924 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.execmmon32.exepid process 1176 vbc.exe 1100 vbc.exe 1100 vbc.exe 1100 vbc.exe 1924 cmmon32.exe 1924 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vbc.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 1100 vbc.exe Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeDebugPrivilege 1924 cmmon32.exe Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE 1740 EXCEL.EXE 1740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1544 wrote to memory of 1176 1544 EQNEDT32.EXE vbc.exe PID 1544 wrote to memory of 1176 1544 EQNEDT32.EXE vbc.exe PID 1544 wrote to memory of 1176 1544 EQNEDT32.EXE vbc.exe PID 1544 wrote to memory of 1176 1544 EQNEDT32.EXE vbc.exe PID 1176 wrote to memory of 1100 1176 vbc.exe vbc.exe PID 1176 wrote to memory of 1100 1176 vbc.exe vbc.exe PID 1176 wrote to memory of 1100 1176 vbc.exe vbc.exe PID 1176 wrote to memory of 1100 1176 vbc.exe vbc.exe PID 1176 wrote to memory of 1100 1176 vbc.exe vbc.exe PID 1408 wrote to memory of 1924 1408 Explorer.EXE cmmon32.exe PID 1408 wrote to memory of 1924 1408 Explorer.EXE cmmon32.exe PID 1408 wrote to memory of 1924 1408 Explorer.EXE cmmon32.exe PID 1408 wrote to memory of 1924 1408 Explorer.EXE cmmon32.exe PID 1924 wrote to memory of 1160 1924 cmmon32.exe cmd.exe PID 1924 wrote to memory of 1160 1924 cmmon32.exe cmd.exe PID 1924 wrote to memory of 1160 1924 cmmon32.exe cmd.exe PID 1924 wrote to memory of 1160 1924 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SALES CONTRACT 914 VIPA ORDER 213581.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
C:\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
C:\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
\Users\Admin\AppData\Local\Temp\nsgCA51.tmp\chav.dllMD5
03cae9032f6d2d44d8ecd93c87f1313f
SHA1fe8f16836750db7d7fcb42d1d0ea77d55d145832
SHA256ba8dc1fbfac80564485d83433578839c4ffe432e4ec3e81182fb7eadcc54c6b8
SHA5125871980c59e457f47e47c86232640b2211c89bc6d3a9da7f89bf73f8f09fc6a8a48c9b88412c84367d7162349103192107ec24af637cd96227edd0db320fdc67
-
\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
\Users\Public\vbc.exeMD5
9d38faec3253e9ce395c8970d03d8180
SHA153128b83b922c39ed32065c9d8baae2c13059719
SHA2561771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA5120c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a
-
memory/1100-69-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1100-66-0x000000000041D4A0-mapping.dmp
-
memory/1100-68-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1100-70-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1160-81-0x0000000000000000-mapping.dmp
-
memory/1176-61-0x0000000000000000-mapping.dmp
-
memory/1408-71-0x0000000006890000-0x0000000006969000-memory.dmpFilesize
868KB
-
memory/1408-83-0x0000000006F80000-0x0000000007063000-memory.dmpFilesize
908KB
-
memory/1544-56-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1740-74-0x0000000005CD0000-0x000000000691A000-memory.dmpFilesize
12.3MB
-
memory/1740-54-0x0000000071C51000-0x0000000071C53000-memory.dmpFilesize
8KB
-
memory/1740-53-0x000000002F2B1000-0x000000002F2B4000-memory.dmpFilesize
12KB
-
memory/1740-85-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-76-0x0000000005CD0000-0x000000000691A000-memory.dmpFilesize
12.3MB
-
memory/1740-77-0x0000000005CD0000-0x000000000691A000-memory.dmpFilesize
12.3MB
-
memory/1740-73-0x0000000005CD0000-0x000000000691A000-memory.dmpFilesize
12.3MB
-
memory/1740-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-78-0x0000000005CD0000-0x000000000691A000-memory.dmpFilesize
12.3MB
-
memory/1924-80-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1924-72-0x0000000000000000-mapping.dmp
-
memory/1924-82-0x0000000001DE0000-0x0000000001E70000-memory.dmpFilesize
576KB
-
memory/1924-79-0x0000000000840000-0x000000000084D000-memory.dmpFilesize
52KB
-
memory/1924-75-0x0000000001F70000-0x0000000002273000-memory.dmpFilesize
3.0MB