Payment Advise.xlsx

General
Target

Payment Advise.xlsx

Filesize

337KB

Completed

12-10-2021 23:21

Score
10/10
MD5

2a2774f89f6ac878975ef5227cc8a92b

SHA1

bfbfd645fed06b7598bfe1f583d0ba04ad943b29

SHA256

54167fce5b8273b4a21f9da96c32113ebe3e5831f51aebad3ae1e97d5165f263

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 18

Filter: none

Defense Evasion
Discovery
Execution
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1804-77-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/1804-78-0x000000000041EB80-mapping.dmpformbook
    behavioral1/memory/1804-84-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/1664-91-0x0000000000080000-0x00000000000AE000-memory.dmpformbook
  • Blocklisted process makes network request
    EQNEDT32.EXE

    Reported IOCs

    flowpidprocess
    51528EQNEDT32.EXE
  • Downloads MZ/PE file
  • Executes dropped EXE
    vbc.exevbc.exe

    Reported IOCs

    pidprocess
    1560vbc.exe
    1804vbc.exe
  • Loads dropped DLL
    EQNEDT32.EXE

    Reported IOCs

    pidprocess
    1528EQNEDT32.EXE
    1528EQNEDT32.EXE
    1528EQNEDT32.EXE
    1528EQNEDT32.EXE
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    vbc.exevbc.exeraserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1560 set thread context of 18041560vbc.exevbc.exe
    PID 1804 set thread context of 11961804vbc.exeExplorer.EXE
    PID 1804 set thread context of 11961804vbc.exeExplorer.EXE
    PID 1664 set thread context of 11961664raserver.exeExplorer.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    1528EQNEDT32.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1984EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    vbc.exevbc.exeraserver.exe

    Reported IOCs

    pidprocess
    1560vbc.exe
    1560vbc.exe
    1560vbc.exe
    1560vbc.exe
    1560vbc.exe
    1560vbc.exe
    1560vbc.exe
    1804vbc.exe
    1804vbc.exe
    1804vbc.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
    1664raserver.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1196Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    vbc.exeraserver.exe

    Reported IOCs

    pidprocess
    1804vbc.exe
    1804vbc.exe
    1804vbc.exe
    1804vbc.exe
    1664raserver.exe
    1664raserver.exe
  • Suspicious use of AdjustPrivilegeToken
    vbc.exevbc.exeraserver.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1560vbc.exe
    Token: SeDebugPrivilege1804vbc.exe
    Token: SeDebugPrivilege1664raserver.exe
    Token: SeShutdownPrivilege1196Explorer.EXE
    Token: SeShutdownPrivilege1196Explorer.EXE
    Token: SeShutdownPrivilege1196Explorer.EXE
    Token: SeShutdownPrivilege1196Explorer.EXE
    Token: SeShutdownPrivilege1196Explorer.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1984EXCEL.EXE
    1984EXCEL.EXE
    1984EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEvbc.exevbc.exeraserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1528 wrote to memory of 15601528EQNEDT32.EXEvbc.exe
    PID 1528 wrote to memory of 15601528EQNEDT32.EXEvbc.exe
    PID 1528 wrote to memory of 15601528EQNEDT32.EXEvbc.exe
    PID 1528 wrote to memory of 15601528EQNEDT32.EXEvbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1560 wrote to memory of 18041560vbc.exevbc.exe
    PID 1804 wrote to memory of 16641804vbc.exeraserver.exe
    PID 1804 wrote to memory of 16641804vbc.exeraserver.exe
    PID 1804 wrote to memory of 16641804vbc.exeraserver.exe
    PID 1804 wrote to memory of 16641804vbc.exeraserver.exe
    PID 1664 wrote to memory of 3241664raserver.execmd.exe
    PID 1664 wrote to memory of 3241664raserver.execmd.exe
    PID 1664 wrote to memory of 3241664raserver.execmd.exe
    PID 1664 wrote to memory of 3241664raserver.execmd.exe
Processes 17
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    PID:1196
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advise.xlsx"
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1984
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:980
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1736
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1372
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:348
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1964
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1684
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:908
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1508
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1836
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1812
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          Suspicious use of SetThreadContext
          Suspicious behavior: EnumeratesProcesses
          Suspicious behavior: MapViewOfSection
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Public\vbc.exe"
            PID:324
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • C:\Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • C:\Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • \Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • \Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • \Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • \Users\Public\vbc.exe

                      MD5

                      1fe73fe4d37cae6a02262b5164f3def0

                      SHA1

                      80b03eb27651723bded1fd1425f489225b3bba3b

                      SHA256

                      0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8

                      SHA512

                      7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6

                    • memory/324-89-0x0000000000000000-mapping.dmp

                    • memory/1196-86-0x0000000004A30000-0x0000000004B22000-memory.dmp

                    • memory/1196-95-0x0000000006D20000-0x0000000006EA0000-memory.dmp

                    • memory/1196-82-0x0000000006490000-0x00000000065AB000-memory.dmp

                    • memory/1528-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

                    • memory/1560-72-0x0000000004C60000-0x0000000004C61000-memory.dmp

                    • memory/1560-73-0x0000000000330000-0x0000000000335000-memory.dmp

                    • memory/1560-74-0x00000000050D0000-0x0000000005120000-memory.dmp

                    • memory/1560-70-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                    • memory/1560-67-0x0000000000000000-mapping.dmp

                    • memory/1664-91-0x0000000000080000-0x00000000000AE000-memory.dmp

                    • memory/1664-90-0x0000000000C90000-0x0000000000CAC000-memory.dmp

                    • memory/1664-93-0x0000000000840000-0x00000000008D3000-memory.dmp

                    • memory/1664-87-0x0000000000000000-mapping.dmp

                    • memory/1664-92-0x00000000020B0000-0x00000000023B3000-memory.dmp

                    • memory/1804-77-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/1804-84-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/1804-83-0x0000000000180000-0x0000000000194000-memory.dmp

                    • memory/1804-85-0x00000000001D0000-0x00000000001E4000-memory.dmp

                    • memory/1804-81-0x0000000000B20000-0x0000000000E23000-memory.dmp

                    • memory/1804-78-0x000000000041EB80-mapping.dmp

                    • memory/1804-76-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/1804-75-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/1984-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1984-60-0x0000000070FD1000-0x0000000070FD3000-memory.dmp

                    • memory/1984-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1984-59-0x000000002FFB1000-0x000000002FFB4000-memory.dmp