Analysis
-
max time kernel
150s -
max time network
200s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-09-2021 06:14
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Sender_Documents_Details_021230900.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DHL_Sender_Documents_Details_021230900.xlsx
Resource
win10v20210408
General
-
Target
DHL_Sender_Documents_Details_021230900.xlsx
-
Size
355KB
-
MD5
e5c6389fe4c43e736bbe304ac2aa9912
-
SHA1
5d4bb21ef27c9b712c33a367c461ea78defb2849
-
SHA256
c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198
-
SHA512
2138ffc7b261c3c81467d8ca7fb9638f82896e74fb5147588a50edf5fc619a26994992bc6de1e455157bf65e2f14bf8fdcc771a8188f1a6a45c7b957bffe0287
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/812-71-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/812-72-0x000000000041D450-mapping.dmp xloader behavioral1/memory/540-82-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1724 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 924 vbc.exe 812 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1724 EQNEDT32.EXE 1724 EQNEDT32.EXE 1724 EQNEDT32.EXE 924 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exeNETSTAT.EXEdescription pid process target process PID 924 set thread context of 812 924 vbc.exe vbc.exe PID 812 set thread context of 1204 812 vbc.exe Explorer.EXE PID 812 set thread context of 1204 812 vbc.exe Explorer.EXE PID 540 set thread context of 1204 540 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 540 NETSTAT.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 520 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 812 vbc.exe 812 vbc.exe 812 vbc.exe 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE 540 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 812 vbc.exe 812 vbc.exe 812 vbc.exe 812 vbc.exe 540 NETSTAT.EXE 540 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vbc.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 812 vbc.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 540 NETSTAT.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 520 EXCEL.EXE 520 EXCEL.EXE 520 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1724 wrote to memory of 924 1724 EQNEDT32.EXE vbc.exe PID 1724 wrote to memory of 924 1724 EQNEDT32.EXE vbc.exe PID 1724 wrote to memory of 924 1724 EQNEDT32.EXE vbc.exe PID 1724 wrote to memory of 924 1724 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 924 wrote to memory of 812 924 vbc.exe vbc.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 540 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 540 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 540 1204 Explorer.EXE NETSTAT.EXE PID 540 wrote to memory of 1788 540 NETSTAT.EXE cmd.exe PID 540 wrote to memory of 1788 540 NETSTAT.EXE cmd.exe PID 540 wrote to memory of 1788 540 NETSTAT.EXE cmd.exe PID 540 wrote to memory of 1788 540 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DHL_Sender_Documents_Details_021230900.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
C:\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
C:\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
\Users\Admin\AppData\Local\Temp\nsq50FD.tmp\ojcwnasg.dllMD5
a1c31e0436d00eb00481b5c0f39fa849
SHA11c71dc6fb7b93c99722dba7deee53dda9e19f5a5
SHA256856362062f444906aa7cce79dab2727d9fbcdfc3d6ac5241819c1586d3693f8b
SHA512466bbf168192502b718eca1e83f5120e4b144f77754ac276b577ec7cddd30dd93c3a3465e1e6ff9db0884cf4c3ca9a62867a9522dd88f20cf93200be3287768b
-
\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
\Users\Public\vbc.exeMD5
62c72f781d7001dff6d747ee91e33e32
SHA1ed9fb1d769fd4655a335884d26875758fe67433c
SHA256990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
SHA5122b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
-
memory/520-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/520-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/520-59-0x000000002F331000-0x000000002F334000-memory.dmpFilesize
12KB
-
memory/520-60-0x00000000716A1000-0x00000000716A3000-memory.dmpFilesize
8KB
-
memory/540-84-0x0000000001E80000-0x0000000001F10000-memory.dmpFilesize
576KB
-
memory/540-79-0x0000000000000000-mapping.dmp
-
memory/540-83-0x0000000002090000-0x0000000002393000-memory.dmpFilesize
3.0MB
-
memory/540-81-0x0000000000180000-0x0000000000189000-memory.dmpFilesize
36KB
-
memory/540-82-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/812-72-0x000000000041D450-mapping.dmp
-
memory/812-77-0x0000000000540000-0x0000000000551000-memory.dmpFilesize
68KB
-
memory/812-75-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/812-74-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/812-71-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/924-66-0x0000000000000000-mapping.dmp
-
memory/1204-78-0x0000000006F60000-0x00000000070A5000-memory.dmpFilesize
1.3MB
-
memory/1204-76-0x00000000041D0000-0x00000000042B4000-memory.dmpFilesize
912KB
-
memory/1204-85-0x0000000007140000-0x0000000007285000-memory.dmpFilesize
1.3MB
-
memory/1724-62-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1788-80-0x0000000000000000-mapping.dmp