Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
11-10-2021 21:15
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice and packing list.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
proforma invoice and packing list.xlsx
Resource
win10-en-20210920
General
-
Target
proforma invoice and packing list.xlsx
-
Size
269KB
-
MD5
6fde5f271c363c8c6958c79a97ba4208
-
SHA1
7fc836aaf75422e4d8a4c62b3c5136d464e24f8f
-
SHA256
033372113246279f04ccac1fab6748a2bfd2ed9b9c5cb980534f444dac558af8
-
SHA512
8fbb97b4ed844864b8aba660496b34176967343bea968108568426e227a83c70ad2159bbc532c1ac3b6fa832bd54cc3e5bbede6abc4986101ca6f7f026b81b00
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1688-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1688-66-0x000000000041D4C0-mapping.dmp xloader behavioral1/memory/1316-75-0x0000000000100000-0x0000000000129000-memory.dmp xloader behavioral1/memory/1452-88-0x000000000041D4C0-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 528 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
vbc.exevbc.exewinz4atqpah.exewinz4atqpah.exepid process 988 vbc.exe 1688 vbc.exe 1720 winz4atqpah.exe 1452 winz4atqpah.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exewinz4atqpah.exepid process 528 EQNEDT32.EXE 528 EQNEDT32.EXE 528 EQNEDT32.EXE 988 vbc.exe 1720 winz4atqpah.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XTKDQ0Q8WL = "C:\\Program Files (x86)\\Mshldu\\winz4atqpah.exe" cmmon32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.execmmon32.exewinz4atqpah.exedescription pid process target process PID 988 set thread context of 1688 988 vbc.exe vbc.exe PID 1688 set thread context of 1208 1688 vbc.exe Explorer.EXE PID 1316 set thread context of 1208 1316 cmmon32.exe Explorer.EXE PID 1720 set thread context of 1452 1720 winz4atqpah.exe winz4atqpah.exe -
Drops file in Program Files directory 2 IoCs
Processes:
cmmon32.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Mshldu\winz4atqpah.exe cmmon32.exe File created C:\Program Files (x86)\Mshldu\winz4atqpah.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 18 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_1 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_2 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_1 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_2 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_1 C:\Program Files (x86)\Mshldu\winz4atqpah.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEcmmon32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1596 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
vbc.execmmon32.exewinz4atqpah.exepid process 1688 vbc.exe 1688 vbc.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe 1452 winz4atqpah.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.execmmon32.exepid process 1688 vbc.exe 1688 vbc.exe 1688 vbc.exe 1316 cmmon32.exe 1316 cmmon32.exe 1316 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
vbc.exeExplorer.EXEcmmon32.exewinz4atqpah.exedescription pid process Token: SeDebugPrivilege 1688 vbc.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeDebugPrivilege 1316 cmmon32.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeDebugPrivilege 1452 winz4atqpah.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1596 EXCEL.EXE 1596 EXCEL.EXE 1596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmmon32.exewinz4atqpah.exedescription pid process target process PID 528 wrote to memory of 988 528 EQNEDT32.EXE vbc.exe PID 528 wrote to memory of 988 528 EQNEDT32.EXE vbc.exe PID 528 wrote to memory of 988 528 EQNEDT32.EXE vbc.exe PID 528 wrote to memory of 988 528 EQNEDT32.EXE vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 988 wrote to memory of 1688 988 vbc.exe vbc.exe PID 1208 wrote to memory of 1316 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1316 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1316 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1316 1208 Explorer.EXE cmmon32.exe PID 1316 wrote to memory of 108 1316 cmmon32.exe cmd.exe PID 1316 wrote to memory of 108 1316 cmmon32.exe cmd.exe PID 1316 wrote to memory of 108 1316 cmmon32.exe cmd.exe PID 1316 wrote to memory of 108 1316 cmmon32.exe cmd.exe PID 1316 wrote to memory of 1448 1316 cmmon32.exe Firefox.exe PID 1316 wrote to memory of 1448 1316 cmmon32.exe Firefox.exe PID 1316 wrote to memory of 1448 1316 cmmon32.exe Firefox.exe PID 1316 wrote to memory of 1448 1316 cmmon32.exe Firefox.exe PID 1208 wrote to memory of 1720 1208 Explorer.EXE winz4atqpah.exe PID 1208 wrote to memory of 1720 1208 Explorer.EXE winz4atqpah.exe PID 1208 wrote to memory of 1720 1208 Explorer.EXE winz4atqpah.exe PID 1208 wrote to memory of 1720 1208 Explorer.EXE winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe PID 1720 wrote to memory of 1452 1720 winz4atqpah.exe winz4atqpah.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\proforma invoice and packing list.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Mshldu\winz4atqpah.exe"C:\Program Files (x86)\Mshldu\winz4atqpah.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Mshldu\winz4atqpah.exe"C:\Program Files (x86)\Mshldu\winz4atqpah.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mshldu\winz4atqpah.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
C:\Program Files (x86)\Mshldu\winz4atqpah.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
C:\Program Files (x86)\Mshldu\winz4atqpah.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
C:\Users\Admin\AppData\Local\Temp\q3wbkmtba0d4v8d99bMD5
e6e0282e8006d1883bece0c21814599f
SHA11f2d2b0cfb53d45e020a2e900e066709a0396e10
SHA25625538b858396138693a55a36a34c812b80121041f0748de86c74aa34252d1b26
SHA512285b1098f709ce0137deeb6b0e21f2d02eb02437d9a5f2e98385d8525116401b818d3f3d5658efeb945c4ba0015fc460821ee261b0904a944fe8d82ea53d37be
-
C:\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
C:\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
C:\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
\Users\Admin\AppData\Local\Temp\nsj40.tmp\fqbakxndgg.dllMD5
0ec0b6676a0c830fa1d12a82e0e2ccfc
SHA161edae0d4bb19dd31b9ed2ed4d76c99b4f04ebe2
SHA256c168119aced865f94f0856f3d7419f33142ffe0e8f90c94205d5707b60710617
SHA512ea5496d61a19ac03a49788d5cc7ae18603ec728c153b9c580f6faa7cfc850c297f9978429627e765467d8130409ca25ce041f0f42065d14fe53c6ef69943e574
-
\Users\Admin\AppData\Local\Temp\nsyE9E3.tmp\fqbakxndgg.dllMD5
0ec0b6676a0c830fa1d12a82e0e2ccfc
SHA161edae0d4bb19dd31b9ed2ed4d76c99b4f04ebe2
SHA256c168119aced865f94f0856f3d7419f33142ffe0e8f90c94205d5707b60710617
SHA512ea5496d61a19ac03a49788d5cc7ae18603ec728c153b9c580f6faa7cfc850c297f9978429627e765467d8130409ca25ce041f0f42065d14fe53c6ef69943e574
-
\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
\Users\Public\vbc.exeMD5
f8ba5db8bad75222081bc6b9297126a4
SHA1290a186a9869a6f3ded1049b1d567eafe0041f5d
SHA256b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA51270f90c213dfd898c3f9e91bb6855493ab894604f04ced9b910c3f37eb1bbe658b6944cc847e315d7fe9d793bf1dba8772c38ef12fbf3cf41c52fcde3adca26d5
-
memory/108-73-0x0000000000000000-mapping.dmp
-
memory/528-56-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/988-60-0x0000000000000000-mapping.dmp
-
memory/1208-71-0x00000000068E0000-0x0000000006A10000-memory.dmpFilesize
1.2MB
-
memory/1208-78-0x0000000006D70000-0x0000000006EE8000-memory.dmpFilesize
1.5MB
-
memory/1316-72-0x0000000000000000-mapping.dmp
-
memory/1316-75-0x0000000000100000-0x0000000000129000-memory.dmpFilesize
164KB
-
memory/1316-74-0x0000000000FF0000-0x0000000000FFD000-memory.dmpFilesize
52KB
-
memory/1316-76-0x00000000009B0000-0x0000000000CB3000-memory.dmpFilesize
3.0MB
-
memory/1316-77-0x0000000000910000-0x00000000009A0000-memory.dmpFilesize
576KB
-
memory/1452-88-0x000000000041D4C0-mapping.dmp
-
memory/1452-90-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1596-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1596-53-0x000000002FE11000-0x000000002FE14000-memory.dmpFilesize
12KB
-
memory/1596-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1596-54-0x0000000071141000-0x0000000071143000-memory.dmpFilesize
8KB
-
memory/1688-70-0x0000000000480000-0x0000000000491000-memory.dmpFilesize
68KB
-
memory/1688-69-0x00000000008B0000-0x0000000000BB3000-memory.dmpFilesize
3.0MB
-
memory/1688-66-0x000000000041D4C0-mapping.dmp
-
memory/1688-65-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1720-81-0x0000000000000000-mapping.dmp