Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 06:14
Static task
static1
Behavioral task
behavioral1
Sample
BM09 INV.PL.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BM09 INV.PL.xlsx
Resource
win10-en-20210920
General
-
Target
BM09 INV.PL.xlsx
-
Size
369KB
-
MD5
b03819cd2356392079a49fa5f0477ff9
-
SHA1
c6d295042dbad6daa7eccedddd354f9e90643b31
-
SHA256
0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
-
SHA512
15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e
Malware Config
Extracted
xloader
2.5
ons6
http://www.parasitevhs.net/ons6/
946acc.net
ilkermulla.com
edificationhub.com
aptbaby.com
luisrgonzalez.com
postandpine.com
objective-object.com
storeydrive.rentals
mobile-find.com
africanbridaluk.com
zzjn12.xyz
ritechoiceinvestmentgroup.com
zitzies.xyz
trulyproofreading.com
ktndetermine.xyz
advertising.land
keywordgomuwk.xyz
niecliomusicspirit.com
lhortelecom.com
cryptochieftan.com
fumctulsa.com
librariumclub.com
tinturas-espagiricas.com
regencyimperial.com
worldremirt.com
nikurei.com
edukado.online
med2cloud.com
sasktwl.net
ancditalia.com
nagukoohatomo.xyz
febfit.com
brasbux.com
bilinili236.xyz
girlxyz.com
trm.computer
studiomuis.com
pinnap.online
ra-hanbaiten-lulusia.xyz
desso.one
devilsheartdesign.com
gestproducts.com
mount-motion.com
miltonjorge.net
xiaomiyp6.com
rurikon2.com
wwwmwrfinancial.com
mikexktolsd.com
businessim.net
algoescrow.com
bitterbaybay.com
acidulante.com
yourchancemarketing.com
accidental-blogger.com
breastcancerforumbd.com
viellacharteredland.com
wkefaromaticum.com
guardianenergy.group
gamblersprintcars.com
midiff.com
firstbymel.com
fdwqw.xyz
ngatihaukoporeihana.com
pictureballthose.top
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1280-68-0x000000000041D400-mapping.dmp xloader behavioral1/memory/1280-74-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1964-80-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 660 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1928 vbc.exe 1280 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 660 EQNEDT32.EXE 660 EQNEDT32.EXE 660 EQNEDT32.EXE 1928 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.execmmon32.exedescription pid process target process PID 1928 set thread context of 1280 1928 vbc.exe vbc.exe PID 1280 set thread context of 1300 1280 vbc.exe Explorer.EXE PID 1280 set thread context of 1300 1280 vbc.exe Explorer.EXE PID 1964 set thread context of 1300 1964 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1700 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
vbc.execmmon32.exepid process 1280 vbc.exe 1280 vbc.exe 1280 vbc.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe 1964 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.execmmon32.exepid process 1280 vbc.exe 1280 vbc.exe 1280 vbc.exe 1280 vbc.exe 1964 cmmon32.exe 1964 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1280 vbc.exe Token: SeDebugPrivilege 1964 cmmon32.exe Token: SeShutdownPrivilege 1300 Explorer.EXE Token: SeShutdownPrivilege 1300 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1700 EXCEL.EXE 1700 EXCEL.EXE 1700 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.execmmon32.exedescription pid process target process PID 660 wrote to memory of 1928 660 EQNEDT32.EXE vbc.exe PID 660 wrote to memory of 1928 660 EQNEDT32.EXE vbc.exe PID 660 wrote to memory of 1928 660 EQNEDT32.EXE vbc.exe PID 660 wrote to memory of 1928 660 EQNEDT32.EXE vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1928 wrote to memory of 1280 1928 vbc.exe vbc.exe PID 1280 wrote to memory of 1964 1280 vbc.exe cmmon32.exe PID 1280 wrote to memory of 1964 1280 vbc.exe cmmon32.exe PID 1280 wrote to memory of 1964 1280 vbc.exe cmmon32.exe PID 1280 wrote to memory of 1964 1280 vbc.exe cmmon32.exe PID 1964 wrote to memory of 1168 1964 cmmon32.exe cmd.exe PID 1964 wrote to memory of 1168 1964 cmmon32.exe cmd.exe PID 1964 wrote to memory of 1168 1964 cmmon32.exe cmd.exe PID 1964 wrote to memory of 1168 1964 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\BM09 INV.PL.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Admin\AppData\Local\Temp\nsy44FD.tmp\rnzyao.dllMD5
70e70786ba2215991447cbbf5706f54f
SHA15477a0ec6586cff23039a387f3a1c8968a945d6d
SHA256cc86b72fe9369a197c80b38555433c296e0e46808b74d75ad719799087642be0
SHA51235471023269d350004827ee5565804eaddf01f75ecfa4944e339ae8ec1dd73470a3b11301b00739bd924de1fda9bd2d03d1437455fe78dace83bb6dadd9fda9a
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
memory/660-58-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1168-78-0x0000000000000000-mapping.dmp
-
memory/1280-75-0x0000000000580000-0x0000000000591000-memory.dmpFilesize
68KB
-
memory/1280-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1280-68-0x000000000041D400-mapping.dmp
-
memory/1280-71-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1280-72-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/1280-74-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1300-83-0x0000000006440000-0x000000000658F000-memory.dmpFilesize
1.3MB
-
memory/1300-76-0x00000000072B0000-0x00000000073BE000-memory.dmpFilesize
1.1MB
-
memory/1300-73-0x00000000070D0000-0x00000000071F4000-memory.dmpFilesize
1.1MB
-
memory/1700-56-0x00000000719F1000-0x00000000719F3000-memory.dmpFilesize
8KB
-
memory/1700-55-0x000000002F601000-0x000000002F604000-memory.dmpFilesize
12KB
-
memory/1700-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1700-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-62-0x0000000000000000-mapping.dmp
-
memory/1964-77-0x0000000000000000-mapping.dmp
-
memory/1964-80-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1964-81-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/1964-79-0x0000000000CF0000-0x0000000000CFD000-memory.dmpFilesize
52KB
-
memory/1964-82-0x0000000000890000-0x0000000000920000-memory.dmpFilesize
576KB