Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 10:06
Static task
static1
Behavioral task
behavioral1
Sample
CHIANG LAAN ship particular.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
CHIANG LAAN ship particular.xlsx
Resource
win10-en-20210920
General
-
Target
CHIANG LAAN ship particular.xlsx
-
Size
332KB
-
MD5
51d669feccb183a01b42156ae4048a1f
-
SHA1
dbefe524757e949e2d9a65d3b65667706f66b7cd
-
SHA256
df630d27aed47b1a28ab1e184814f0f0bf83e2b81d83cee8beaddcc1ea25a79e
-
SHA512
f9e33f32842e2d156d82d83e2b8348277c577836ba04b306b15d897bf75a664ca3fc3b8238cd04f31e96f5e62d765616baee9540e309ca5c4ee80807abc8ea90
Malware Config
Extracted
xloader
2.5
bntn
http://www.forex-fm.online/bntn/
pollynfertility.com
frayahanson.com
longrunconsultancy.com
influencerimpactacademy.com
kentislandeats.com
71zkck.biz
835641.com
sklepmeki.store
lauradanielphotography.com
betnubhelp.com
invoicefunder.com
reignbeautycompany.com
eclipsegl.com
zacharyparkerporward5.com
alexiamalan.top
xn--299akkrtr22f.com
telex.business
pingsportsbet.com
fountainspringsrehab.com
intelbloodstock.com
drtuba.one
seoblur.com
paramustowing.com
shristientreprise.com
addcolor.city
mirofotografias.com
techno-delights.com
pineapplejacks.net
hojerti.info
httpxhydh233.xyz
safenterprisespk.com
nexria.com
whiskeyridgebeef.net
tongtongticket.com
shepinhang.net
ungurulife.online
treeserviceconsulting.com
azxx123.com
empyrealgrowva.com
do-remember.com
centralcontable.net
ort-care.com
dronedemonstration.com
georgioskaranasios.com
shojicorpadvisory.com
parwarluxurycars.com
astute.company
globalragas.online
9veronicaavenue.com
nv-us1.com
sailislife.com
nordiclightsllc.com
the-solar-ohio.com
bakermckenzieny.com
cherielu.com
gemini-airwave.pro
experienceanewremarkable.com
nillionbux.com
overcomeeverythingathletics.com
binbin-ads.com
hoganieftini.com
referralinstituteatlanta.com
willpowerleggings.com
tuningwarehouse.com
Signatures
-
Detect Neshta Payload 7 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\VBC_1_~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-81-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1992-82-0x000000000041D490-mapping.dmp xloader behavioral1/memory/1692-91-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 672 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 952 vbc.exe 1648 vbc.exe 1992 vbc.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exepid process 672 EQNEDT32.EXE 672 EQNEDT32.EXE 672 EQNEDT32.EXE 672 EQNEDT32.EXE 952 vbc.exe 952 vbc.exe 1648 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeNETSTAT.EXEdescription pid process target process PID 1648 set thread context of 1992 1648 vbc.exe vbc.exe PID 1992 set thread context of 1384 1992 vbc.exe Explorer.EXE PID 1692 set thread context of 1384 1692 NETSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1692 NETSTAT.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2012 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 1992 vbc.exe 1992 vbc.exe 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE 1692 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 1692 NETSTAT.EXE 1692 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1992 vbc.exe Token: SeDebugPrivilege 1692 NETSTAT.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2012 EXCEL.EXE 2012 EXCEL.EXE 2012 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 672 wrote to memory of 952 672 EQNEDT32.EXE vbc.exe PID 672 wrote to memory of 952 672 EQNEDT32.EXE vbc.exe PID 672 wrote to memory of 952 672 EQNEDT32.EXE vbc.exe PID 672 wrote to memory of 952 672 EQNEDT32.EXE vbc.exe PID 952 wrote to memory of 1648 952 vbc.exe vbc.exe PID 952 wrote to memory of 1648 952 vbc.exe vbc.exe PID 952 wrote to memory of 1648 952 vbc.exe vbc.exe PID 952 wrote to memory of 1648 952 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 1992 1648 vbc.exe vbc.exe PID 1384 wrote to memory of 1692 1384 Explorer.EXE NETSTAT.EXE PID 1384 wrote to memory of 1692 1384 Explorer.EXE NETSTAT.EXE PID 1384 wrote to memory of 1692 1384 Explorer.EXE NETSTAT.EXE PID 1384 wrote to memory of 1692 1384 Explorer.EXE NETSTAT.EXE PID 1692 wrote to memory of 1584 1692 NETSTAT.EXE cmd.exe PID 1692 wrote to memory of 1584 1692 NETSTAT.EXE cmd.exe PID 1692 wrote to memory of 1584 1692 NETSTAT.EXE cmd.exe PID 1692 wrote to memory of 1584 1692 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\CHIANG LAAN ship particular.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵PID:1584
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\VBC_1_~1.EXEMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
33d3b8285711ffe807b50251ccd9c90f
SHA1d4470e56f20b27fe1fe86a73b25db67641028183
SHA256337e3b1c42b7da40a9bddfb17c346621dcb9b367e7b656ffdaf4f594a41e49c5
SHA512e95c9da513fb6292576a499df804d2c6020d2f2e267e98243dae04db0c62dcfaa0c99612a9ccc225006d58b5f3f60c2a315a676fc80547cf7f84b893a6aa4ed9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
33d3b8285711ffe807b50251ccd9c90f
SHA1d4470e56f20b27fe1fe86a73b25db67641028183
SHA256337e3b1c42b7da40a9bddfb17c346621dcb9b367e7b656ffdaf4f594a41e49c5
SHA512e95c9da513fb6292576a499df804d2c6020d2f2e267e98243dae04db0c62dcfaa0c99612a9ccc225006d58b5f3f60c2a315a676fc80547cf7f84b893a6aa4ed9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
33d3b8285711ffe807b50251ccd9c90f
SHA1d4470e56f20b27fe1fe86a73b25db67641028183
SHA256337e3b1c42b7da40a9bddfb17c346621dcb9b367e7b656ffdaf4f594a41e49c5
SHA512e95c9da513fb6292576a499df804d2c6020d2f2e267e98243dae04db0c62dcfaa0c99612a9ccc225006d58b5f3f60c2a315a676fc80547cf7f84b893a6aa4ed9
-
C:\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
C:\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
33d3b8285711ffe807b50251ccd9c90f
SHA1d4470e56f20b27fe1fe86a73b25db67641028183
SHA256337e3b1c42b7da40a9bddfb17c346621dcb9b367e7b656ffdaf4f594a41e49c5
SHA512e95c9da513fb6292576a499df804d2c6020d2f2e267e98243dae04db0c62dcfaa0c99612a9ccc225006d58b5f3f60c2a315a676fc80547cf7f84b893a6aa4ed9
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
33d3b8285711ffe807b50251ccd9c90f
SHA1d4470e56f20b27fe1fe86a73b25db67641028183
SHA256337e3b1c42b7da40a9bddfb17c346621dcb9b367e7b656ffdaf4f594a41e49c5
SHA512e95c9da513fb6292576a499df804d2c6020d2f2e267e98243dae04db0c62dcfaa0c99612a9ccc225006d58b5f3f60c2a315a676fc80547cf7f84b893a6aa4ed9
-
\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
\Users\Public\vbc.exeMD5
da7b4c213039524dd2cd661cb20e62ae
SHA181ad9e9a3d24242fa7619ad23bb6eed117672a3d
SHA2567d9a7c06ad6bdf4b58d325900a940f3bf830862d108c8cf58d3d77982b87f8c2
SHA512fb55d71a64138bc17f5e7a0c8f6496ddeeb0a156270a1de4b8c0bcee9920a46fef0beba34f1bd0a9d589e5a49ad9d1803b71245a9ec28414c956c594886555af
-
memory/672-57-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/952-62-0x0000000000000000-mapping.dmp
-
memory/1384-94-0x00000000060D0000-0x000000000617E000-memory.dmpFilesize
696KB
-
memory/1384-87-0x0000000007320000-0x000000000749D000-memory.dmpFilesize
1.5MB
-
memory/1584-89-0x0000000000000000-mapping.dmp
-
memory/1648-74-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/1648-77-0x0000000004EA0000-0x0000000004EEB000-memory.dmpFilesize
300KB
-
memory/1648-67-0x0000000000000000-mapping.dmp
-
memory/1648-76-0x00000000006A0000-0x00000000006A5000-memory.dmpFilesize
20KB
-
memory/1648-70-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/1692-88-0x0000000000000000-mapping.dmp
-
memory/1692-93-0x0000000002020000-0x00000000020B0000-memory.dmpFilesize
576KB
-
memory/1692-90-0x00000000000E0000-0x00000000000E9000-memory.dmpFilesize
36KB
-
memory/1692-91-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1692-92-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/1992-80-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-86-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1992-85-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/1992-82-0x000000000041D490-mapping.dmp
-
memory/1992-81-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-79-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2012-54-0x000000002F671000-0x000000002F674000-memory.dmpFilesize
12KB
-
memory/2012-55-0x0000000071281000-0x0000000071283000-memory.dmpFilesize
8KB
-
memory/2012-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2012-95-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB