Bank Details.xlsx

General
Target

Bank Details.xlsx

Filesize

327KB

Completed

14-10-2021 05:38

Score
10 /10
MD5

1cdbd552294df147d59c7098ce40584d

SHA1

665ce5496ea7db7e44c01f6b6f448765d75e989f

SHA256

c19f592d9185040912a2901fdd4910ff4ebfd6c6b6ac3b41a1153d93828b1841

Malware Config

Extracted

Family lokibot
C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures 21

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Blocklisted process makes network request
    EQNEDT32.EXE

    Reported IOCs

    flowpidprocess
    4680EQNEDT32.EXE
  • Downloads MZ/PE file
  • Executes dropped EXE
    vbc.exevbc.exe

    Reported IOCs

    pidprocess
    1932vbc.exe
    1832vbc.exe
  • Loads dropped DLL
    EQNEDT32.EXEvbc.exe

    Reported IOCs

    pidprocess
    680EQNEDT32.EXE
    680EQNEDT32.EXE
    680EQNEDT32.EXE
    1932vbc.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook profiles
    vbc.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookvbc.exe
    Key opened\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlookvbc.exe
    Key opened\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookvbc.exe
  • Suspicious use of SetThreadContext
    vbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1932 set thread context of 18321932vbc.exevbc.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00050000000125b7-57.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-57.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-59.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-59.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-58.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-58.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-61.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-61.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-63.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-63.datnsis_installer_2
    behavioral1/files/0x00050000000125b7-67.datnsis_installer_1
    behavioral1/files/0x00050000000125b7-67.datnsis_installer_2
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    680EQNEDT32.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
  • Modifies registry class
    EXCEL.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSIDEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\editEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htmEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexecEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\EditEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exeEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\commandEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft WordEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exeEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfileEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\applicationEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellExEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\PrintEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIconEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft ExcelEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\VersionEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\PrintEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandlerEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old IconEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft PublisherEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithListEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\applicationEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1528EXCEL.EXE
  • Suspicious use of AdjustPrivilegeToken
    vbc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1832vbc.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1528EXCEL.EXE
    1528EXCEL.EXE
    1528EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEvbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 680 wrote to memory of 1932680EQNEDT32.EXEvbc.exe
    PID 680 wrote to memory of 1932680EQNEDT32.EXEvbc.exe
    PID 680 wrote to memory of 1932680EQNEDT32.EXEvbc.exe
    PID 680 wrote to memory of 1932680EQNEDT32.EXEvbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
    PID 1932 wrote to memory of 18321932vbc.exevbc.exe
  • outlook_office_path
    vbc.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookvbc.exe
  • outlook_win_path
    vbc.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookvbc.exe
Processes 4
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Bank Details.xlsx"
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:1528
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        PID:1832
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • C:\Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • C:\Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • \Users\Admin\AppData\Local\Temp\nsdF1EE.tmp\mahyiit.dll

                  MD5

                  b5d0f9fbb3df9a1a42b479fdd334417c

                  SHA1

                  f0780dbafbdb20235c97a28cc0ad8e1abc1547f3

                  SHA256

                  0eaec60342b2074da968f010e592ad52c8b7dbfd72759b97f999f0eb88861136

                  SHA512

                  3bd39726feb5b0b946e6b29c17a12ba044bf2d0e5374c217527542a6a6f09f65e3944007d0427936178e5c485bede8631caa5738d0be50ac291759fcdd4ec26f

                • \Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • \Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • \Users\Public\vbc.exe

                  MD5

                  70d177abc7455c709ae9710630b9ea49

                  SHA1

                  4d81e55880a35c0157046560eca20b9f528838f4

                  SHA256

                  b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

                  SHA512

                  25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

                • memory/680-56-0x0000000074B91000-0x0000000074B93000-memory.dmp

                • memory/1528-54-0x0000000070F01000-0x0000000070F03000-memory.dmp

                • memory/1528-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

                • memory/1528-53-0x000000002FE61000-0x000000002FE64000-memory.dmp

                • memory/1528-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

                • memory/1832-65-0x0000000000400000-0x00000000004A2000-memory.dmp

                • memory/1832-66-0x00000000004139DE-mapping.dmp

                • memory/1832-69-0x0000000000400000-0x00000000004A2000-memory.dmp

                • memory/1932-60-0x0000000000000000-mapping.dmp