Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 08:50
Static task
static1
Behavioral task
behavioral1
Sample
PO 20212702.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO 20212702.xlsx
Resource
win10v20210408
General
-
Target
PO 20212702.xlsx
-
Size
313KB
-
MD5
866d989d919c96e981a9b8ab1af9d8fb
-
SHA1
1ba7069a23eb4cbac7bb6653fe6d6e461ccdcbf4
-
SHA256
7ffcb9f6daf4464de0fc3d659e47b76673c16c0f864ad0d2d1ac40f4b295ddfb
-
SHA512
a6012888e7585c8e6432bee2273b1671ac740dfb70e20b92e3b9daa315c0b4621e31f7edbb15fca7aaed46bfa71bf49cbf40f838d325f4112aa1db1fae480481
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2044-72-0x00000000004080E4-mapping.dmp family_neshta behavioral1/memory/2044-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1404 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 548 vbc.exe 2044 vbc.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1404 EQNEDT32.EXE 1404 EQNEDT32.EXE 1404 EQNEDT32.EXE 1404 EQNEDT32.EXE 2044 vbc.exe 2044 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 548 set thread context of 2044 548 vbc.exe vbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1144 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE 1144 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1404 wrote to memory of 548 1404 EQNEDT32.EXE vbc.exe PID 1404 wrote to memory of 548 1404 EQNEDT32.EXE vbc.exe PID 1404 wrote to memory of 548 1404 EQNEDT32.EXE vbc.exe PID 1404 wrote to memory of 548 1404 EQNEDT32.EXE vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe PID 548 wrote to memory of 2044 548 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO 20212702.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1144
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\VBC_1_~1.EXEMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
C:\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
C:\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
C:\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
\Users\Public\vbc.exeMD5
fd31986696a39355b9e100754b4724e3
SHA14f1045ce5437b5a761c02a1446c0defd89280ddb
SHA256a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08
SHA512bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb
-
memory/548-69-0x0000000005FF0000-0x0000000006057000-memory.dmpFilesize
412KB
-
memory/548-65-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/548-67-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/548-68-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/548-70-0x0000000001EE0000-0x0000000001F17000-memory.dmpFilesize
220KB
-
memory/548-62-0x0000000000000000-mapping.dmp
-
memory/1144-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1144-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1144-54-0x000000002F111000-0x000000002F114000-memory.dmpFilesize
12KB
-
memory/1144-55-0x0000000071481000-0x0000000071483000-memory.dmpFilesize
8KB
-
memory/1404-57-0x0000000076581000-0x0000000076583000-memory.dmpFilesize
8KB
-
memory/2044-71-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2044-76-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2044-72-0x00000000004080E4-mapping.dmp