PROFORMA-PDA 00GGTBGX00001A.xlsx

General
Target

PROFORMA-PDA 00GGTBGX00001A.xlsx

Filesize

362KB

Completed

24-09-2021 12:22

Score
10 /10
MD5

3428e8b6d05df7add0dd9914432467a0

SHA1

89cd998b04e84731ebd9ec51c3d72ef40b15249e

SHA256

2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

Malware Config

Extracted

Family xloader
Version 2.5
Campaign 9gdg
C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

yozotnpasumo4.xyz

theindiandreams.com

javfish.com

algorham.photography

eurocustompainting.com

commentcard.club

probinns.com

yourlenderjake.net

bestofmdi.guide

miniperfumeria.com

shanxishuangcheng.com

viviantle.com

metaverseliveshopping.com

xn--vckzfv91k.com

garygoodtime.com

meysaninsaat.com

vietnamagritourism.online

greenpillers.net

hughhegartyhedgecutting.com

clarkdn.com

b148t1rfm01qvtbnvgc5418.com

trump-911-memorial.com

seekr.tech

amarettoliqueur.info

planext4u.com

dzairfoot24.com

freshstartdaycarecenterinc.com

redwoodwomen.com

reallyfuntastic.com

cc-expert.com

Signatures 25

Filter: none

Defense Evasion
Discovery
Execution
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Description

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/396-66-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/396-67-0x000000000041D4A0-mapping.dmpxloader
    behavioral1/memory/1288-78-0x0000000000090000-0x00000000000B9000-memory.dmpxloader
  • Blocklisted process makes network request
    EQNEDT32.EXEmsiexec.exe

    Reported IOCs

    flowpidprocess
    3536EQNEDT32.EXE
    221288msiexec.exe
  • Downloads MZ/PE file
  • Executes dropped EXE
    vbc.exevbc.exe

    Reported IOCs

    pidprocess
    1084vbc.exe
    396vbc.exe
  • Loads dropped DLL
    EQNEDT32.EXEvbc.exe

    Reported IOCs

    pidprocess
    536EQNEDT32.EXE
    536EQNEDT32.EXE
    536EQNEDT32.EXE
    1084vbc.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    vbc.exevbc.exemsiexec.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1084 set thread context of 3961084vbc.exevbc.exe
    PID 396 set thread context of 1208396vbc.exeExplorer.EXE
    PID 396 set thread context of 1208396vbc.exeExplorer.EXE
    PID 1288 set thread context of 12081288msiexec.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00050000000125b7-58.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-58.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-60.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-60.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-59.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-59.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-62.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-62.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-64.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-64.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-68.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-68.datnsis_installer_2
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    536EQNEDT32.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDEXCEL.EXE
  • Modifies registry class
    EXCEL.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\commandEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft PublisherEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\editEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft PublisherEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandlerEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft ExcelEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htmEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\commandEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\editEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\PrintEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft ExcelEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\VersionEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exeEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exeEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exeEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\commandEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topicEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\applicationEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exeEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexecEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old IconEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1556EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    vbc.exemsiexec.exe

    Reported IOCs

    pidprocess
    396vbc.exe
    396vbc.exe
    396vbc.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
    1288msiexec.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1208Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    vbc.exemsiexec.exe

    Reported IOCs

    pidprocess
    396vbc.exe
    396vbc.exe
    396vbc.exe
    396vbc.exe
    1288msiexec.exe
    1288msiexec.exe
  • Suspicious use of AdjustPrivilegeToken
    vbc.exemsiexec.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege396vbc.exe
    Token: SeDebugPrivilege1288msiexec.exe
    Token: SeShutdownPrivilege1208Explorer.EXE
    Token: SeShutdownPrivilege1208Explorer.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
    1208Explorer.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1556EXCEL.EXE
    1556EXCEL.EXE
    1556EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEvbc.exeExplorer.EXEmsiexec.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 536 wrote to memory of 1084536EQNEDT32.EXEvbc.exe
    PID 536 wrote to memory of 1084536EQNEDT32.EXEvbc.exe
    PID 536 wrote to memory of 1084536EQNEDT32.EXEvbc.exe
    PID 536 wrote to memory of 1084536EQNEDT32.EXEvbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1084 wrote to memory of 3961084vbc.exevbc.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1208 wrote to memory of 12881208Explorer.EXEmsiexec.exe
    PID 1288 wrote to memory of 16281288msiexec.execmd.exe
    PID 1288 wrote to memory of 16281288msiexec.execmd.exe
    PID 1288 wrote to memory of 16281288msiexec.execmd.exe
    PID 1288 wrote to memory of 16281288msiexec.execmd.exe
Processes 7
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PROFORMA-PDA 00GGTBGX00001A.xlsx"
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1556
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        PID:1628
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:396
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • C:\Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • C:\Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • \Users\Admin\AppData\Local\Temp\nsgD8A3.tmp\iynunsqb.dll

                      MD5

                      fdb24702ac3d38f586aa0343d71ba1d5

                      SHA1

                      662c61e11802ae875d864c6b8002ecfa5d7872f1

                      SHA256

                      e2bd42815d0ad61ad0f55056b9e78939a025f8b63c204afbf1ea1abf64adb71c

                      SHA512

                      26a86d2a7c7a4ef06e562e8cf2a40fd343b721539ef1808de6e1c6fa75a3bd1e2e3b85542aad76264792e776439e9dd1fe4fc282dee7a32948e2caa03a8e7051

                    • \Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • \Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • \Users\Public\vbc.exe

                      MD5

                      0efbf49197257609b692c8579c7c15cd

                      SHA1

                      5390a1eb61e84c9d546178e7c43a810c309f9013

                      SHA256

                      6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

                      SHA512

                      823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

                    • memory/396-70-0x00000000002D0000-0x00000000002E1000-memory.dmp

                    • memory/396-66-0x0000000000400000-0x0000000000429000-memory.dmp

                    • memory/396-69-0x0000000000770000-0x0000000000A73000-memory.dmp

                    • memory/396-72-0x00000000004C0000-0x00000000004D1000-memory.dmp

                    • memory/396-67-0x000000000041D4A0-mapping.dmp

                    • memory/536-57-0x00000000757B1000-0x00000000757B3000-memory.dmp

                    • memory/1084-61-0x0000000000000000-mapping.dmp

                    • memory/1208-73-0x0000000006810000-0x0000000006967000-memory.dmp

                    • memory/1208-81-0x0000000006E50000-0x0000000006F2A000-memory.dmp

                    • memory/1208-71-0x0000000004F70000-0x000000000504C000-memory.dmp

                    • memory/1288-78-0x0000000000090000-0x00000000000B9000-memory.dmp

                    • memory/1288-80-0x0000000001EA0000-0x0000000001F30000-memory.dmp

                    • memory/1288-74-0x0000000000000000-mapping.dmp

                    • memory/1288-77-0x00000000020E0000-0x00000000023E3000-memory.dmp

                    • memory/1288-76-0x00000000006D0000-0x00000000006E4000-memory.dmp

                    • memory/1556-54-0x000000002FCC1000-0x000000002FCC4000-memory.dmp

                    • memory/1556-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1556-55-0x0000000071141000-0x0000000071143000-memory.dmp

                    • memory/1556-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1628-79-0x0000000000000000-mapping.dmp