Payment_Advise.xlsx

General
Target

Payment_Advise.xlsx

Filesize

360KB

Completed

22-10-2021 18:23

Score
10/10
MD5

34f843f6f1b3011a7cdb63753853ef58

SHA1

922ebd64f7ffe9d8548d467b631f6bdf2ede6106

SHA256

fbdb8f368721ccfea456f2e6f232304acff371bdb62a5140b9fc44bd224e0d57

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Signatures 19

Filter: none

Defense Evasion
Discovery
Execution
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/912-72-0x0000000000400000-0x000000000042E000-memory.dmpformbook
    behavioral1/memory/912-73-0x000000000041EB80-mapping.dmpformbook
    behavioral1/memory/1764-81-0x0000000000080000-0x00000000000AE000-memory.dmpformbook
  • Blocklisted process makes network request
    EQNEDT32.EXE

    Reported IOCs

    flowpidprocess
    4584EQNEDT32.EXE
  • Downloads MZ/PE file
  • Executes dropped EXE
    vbc.exevbc.exe

    Reported IOCs

    pidprocess
    1780vbc.exe
    912vbc.exe
  • Loads dropped DLL
    EQNEDT32.EXE

    Reported IOCs

    pidprocess
    584EQNEDT32.EXE
    584EQNEDT32.EXE
    584EQNEDT32.EXE
    584EQNEDT32.EXE
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    vbc.exevbc.exesystray.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1780 set thread context of 9121780vbc.exevbc.exe
    PID 912 set thread context of 1268912vbc.exeExplorer.EXE
    PID 1764 set thread context of 12681764systray.exeExplorer.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    584EQNEDT32.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXEExplorer.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"Explorer.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\ToolbarExplorer.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editEXCEL.EXE
  • Modifies registry class
    EXCEL.EXEExplorer.EXE

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\EditEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft ExcelEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRUExplorer.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htmEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft WordEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\editEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfileEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexecEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exeEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\VersionEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfileEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIconEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfileEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexecEXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\applicationEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellExEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exeEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"EXCEL.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14EXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexecEXCEL.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\PrintEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandlerEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\editEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfileEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithListEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\commandEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft PublisherEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexecEXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\commandEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"EXCEL.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellExEXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"EXCEL.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1496EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    vbc.exevbc.exesystray.exe

    Reported IOCs

    pidprocess
    1780vbc.exe
    1780vbc.exe
    1780vbc.exe
    1780vbc.exe
    1780vbc.exe
    1780vbc.exe
    912vbc.exe
    912vbc.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
    1764systray.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1268Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    vbc.exesystray.exe

    Reported IOCs

    pidprocess
    912vbc.exe
    912vbc.exe
    912vbc.exe
    1764systray.exe
    1764systray.exe
  • Suspicious use of AdjustPrivilegeToken
    vbc.exevbc.exesystray.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1780vbc.exe
    Token: SeDebugPrivilege912vbc.exe
    Token: SeDebugPrivilege1764systray.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1496EXCEL.EXE
    1496EXCEL.EXE
    1496EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEvbc.exeExplorer.EXEsystray.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 584 wrote to memory of 1780584EQNEDT32.EXEvbc.exe
    PID 584 wrote to memory of 1780584EQNEDT32.EXEvbc.exe
    PID 584 wrote to memory of 1780584EQNEDT32.EXEvbc.exe
    PID 584 wrote to memory of 1780584EQNEDT32.EXEvbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1780 wrote to memory of 9121780vbc.exevbc.exe
    PID 1268 wrote to memory of 17641268Explorer.EXEsystray.exe
    PID 1268 wrote to memory of 17641268Explorer.EXEsystray.exe
    PID 1268 wrote to memory of 17641268Explorer.EXEsystray.exe
    PID 1268 wrote to memory of 17641268Explorer.EXEsystray.exe
    PID 1764 wrote to memory of 17321764systray.execmd.exe
    PID 1764 wrote to memory of 17321764systray.execmd.exe
    PID 1764 wrote to memory of 17321764systray.execmd.exe
    PID 1764 wrote to memory of 17321764systray.execmd.exe
    PID 1268 wrote to memory of 14361268Explorer.EXEexplorer.exe
    PID 1268 wrote to memory of 14361268Explorer.EXEexplorer.exe
    PID 1268 wrote to memory of 14361268Explorer.EXEexplorer.exe
Processes 8
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Payment_Advise.xlsx
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1496
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        PID:1732
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      PID:1436
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:912
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • C:\Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • C:\Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • \Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • \Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • \Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • \Users\Public\vbc.exe

                      MD5

                      f94dd54fedbdf4f0f6992c781476e4a4

                      SHA1

                      93fb57ab3c31b5fa13827670a003ea203ff904d5

                      SHA256

                      d9db7f117e5fc750e78b0178003bca82684a2a36f951fa0d3a59a58bd178a302

                      SHA512

                      fadf4a955ef4d3d0162c66ac896046177d86b2e9f401e5c02be2b181755827629e617584b853f5f4aa5393391834700ad103cc755e71482b0c3a4b40f7f65ace

                    • memory/584-57-0x0000000075871000-0x0000000075873000-memory.dmp

                    • memory/912-70-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/912-72-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/912-73-0x000000000041EB80-mapping.dmp

                    • memory/912-76-0x0000000000840000-0x0000000000B43000-memory.dmp

                    • memory/912-77-0x0000000000210000-0x0000000000224000-memory.dmp

                    • memory/912-71-0x0000000000400000-0x000000000042E000-memory.dmp

                    • memory/1268-86-0x0000000006B60000-0x0000000006C11000-memory.dmp

                    • memory/1268-78-0x0000000004E60000-0x0000000004F5F000-memory.dmp

                    • memory/1436-87-0x0000000000000000-mapping.dmp

                    • memory/1436-88-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

                    • memory/1496-55-0x0000000070D31000-0x0000000070D33000-memory.dmp

                    • memory/1496-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1496-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1496-54-0x000000002FA21000-0x000000002FA24000-memory.dmp

                    • memory/1732-83-0x0000000000000000-mapping.dmp

                    • memory/1764-84-0x00000000004D0000-0x0000000000563000-memory.dmp

                    • memory/1764-79-0x0000000000000000-mapping.dmp

                    • memory/1764-80-0x0000000000E30000-0x0000000000E35000-memory.dmp

                    • memory/1764-82-0x0000000002240000-0x0000000002543000-memory.dmp

                    • memory/1764-81-0x0000000000080000-0x00000000000AE000-memory.dmp

                    • memory/1780-62-0x0000000000000000-mapping.dmp

                    • memory/1780-65-0x0000000001030000-0x0000000001031000-memory.dmp

                    • memory/1780-67-0x00000000004E0000-0x00000000004E1000-memory.dmp

                    • memory/1780-68-0x00000000004A0000-0x00000000004A7000-memory.dmp

                    • memory/1780-69-0x00000000048C0000-0x000000000490F000-memory.dmp