Analysis
-
max time kernel
161s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 11:07
Static task
static1
Behavioral task
behavioral1
Sample
TT_0032411983221 advice.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
TT_0032411983221 advice.xlsx
Resource
win10-en-20211014
General
-
Target
TT_0032411983221 advice.xlsx
-
Size
185KB
-
MD5
8601e9fbd0710b734aaa95ba56ebf397
-
SHA1
d5fefeba0606f92a7223bbe51091132404670daa
-
SHA256
b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9
-
SHA512
2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d
Malware Config
Extracted
xloader
2.5
ga6b
http://www.egyptian-museum.com/ga6b/
diasporacospices.com
sd-shenghe.com
onlinewritingjobs.net
greenstreamgroup.store
garageair.agency
idh-bf.com
middenhavendambreskens.com
szkoleniawcag.online
wiremefeelings.com
ottosperformance.com
brothermush.com
weiserpath.com
baohiemtv24h.com
glassgalaxynft.com
spiritualmind.space
18130072012.com
3v0.space
smartgadgetscompare.com
corvusexpeditii.xyz
egcontabilidade.website
find0utnowfy.info
soulwinningministry.com
digitaldreamcloud.net
service-portal-kundendaten.com
theselectdifference.com
burodev.com
mustafacesuryildiz.com
grupodeinvestigacion.com
toyotadisurabaya.com
partnerbenifits.com
belledescontos.com
nobodybutgod.com
bumiths.com
acacave.com
septoctets.xyz
www73w.xyz
afghantattoos.com
interiorsbe.com
ara7z.com
qqcx666888.top
onra.top
sunfucker.net
suhuabo.com
tangerineinit.com
era636.com
lovenft.xyz
maviesurdvd.com
gullatz-consulting.com
duopasteleras.com
mystudentregistration.com
5559913.win
gritzcharlestonluxuryinn.store
themexicanbg.com
senshop.store
woodentoysforkids.store
globalgamelan.com
anjumanmuhibaneabbas.com
seattleinsurancebrokers.com
naiduteja049.info
traction.legal
twisteid.com
necesryaou.com
apan-group.com
infinityrope.store
Signatures
-
Detect Neshta Payload 7 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1088-74-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1088-75-0x000000000041D4E0-mapping.dmp xloader behavioral1/memory/896-84-0x0000000000070000-0x0000000000099000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 856 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1572 vbc.exe 1880 vbc.exe 1088 vbc.exe -
Loads dropped DLL 8 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exepid process 856 EQNEDT32.EXE 856 EQNEDT32.EXE 856 EQNEDT32.EXE 856 EQNEDT32.EXE 1572 vbc.exe 1880 vbc.exe 1880 vbc.exe 1572 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execscript.exedescription pid process target process PID 1880 set thread context of 1088 1880 vbc.exe vbc.exe PID 1088 set thread context of 1264 1088 vbc.exe Explorer.EXE PID 896 set thread context of 1264 896 cscript.exe Explorer.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 17 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXE nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 476 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
vbc.execscript.exepid process 1088 vbc.exe 1088 vbc.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe 896 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execscript.exepid process 1088 vbc.exe 1088 vbc.exe 1088 vbc.exe 896 cscript.exe 896 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1088 vbc.exe Token: SeDebugPrivilege 896 cscript.exe Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 476 EXCEL.EXE 476 EXCEL.EXE 476 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeExplorer.EXEcscript.exedescription pid process target process PID 856 wrote to memory of 1572 856 EQNEDT32.EXE vbc.exe PID 856 wrote to memory of 1572 856 EQNEDT32.EXE vbc.exe PID 856 wrote to memory of 1572 856 EQNEDT32.EXE vbc.exe PID 856 wrote to memory of 1572 856 EQNEDT32.EXE vbc.exe PID 1572 wrote to memory of 1880 1572 vbc.exe vbc.exe PID 1572 wrote to memory of 1880 1572 vbc.exe vbc.exe PID 1572 wrote to memory of 1880 1572 vbc.exe vbc.exe PID 1572 wrote to memory of 1880 1572 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1880 wrote to memory of 1088 1880 vbc.exe vbc.exe PID 1264 wrote to memory of 896 1264 Explorer.EXE cscript.exe PID 1264 wrote to memory of 896 1264 Explorer.EXE cscript.exe PID 1264 wrote to memory of 896 1264 Explorer.EXE cscript.exe PID 1264 wrote to memory of 896 1264 Explorer.EXE cscript.exe PID 896 wrote to memory of 1368 896 cscript.exe cmd.exe PID 896 wrote to memory of 1368 896 cscript.exe cmd.exe PID 896 wrote to memory of 1368 896 cscript.exe cmd.exe PID 896 wrote to memory of 1368 896 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT_0032411983221 advice.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:476 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵PID:1368
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\LOADER~1.EXEMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
C:\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
C:\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
\Users\Admin\AppData\Local\Temp\nsy734D.tmp\tdledysx.dllMD5
ab2962aabbe70e27d355dacf203405e6
SHA1729bb1a7412903e2574ccc129409b70cbd55e01a
SHA256dc3786cc8cbf1abd5261926553b407c82c97eefa6d4cafdb3c7147295a65e450
SHA5123e8c94d585a02f108fd2fd0bfef3a252e196280e03a2e17e3b5d978a6d9ae5652cdfc5bc9ddd5df2f986a1d1e3fe959391be75a49e84d51771dea3d0854f3d40
-
\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
\Users\Public\vbc.exeMD5
36ca5751b0b2d9321215f223a18aefbf
SHA1c9661ff48f2eaa2718a46b23a70a02a8461715be
SHA256602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
SHA512f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
-
memory/476-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/476-55-0x000000002FA11000-0x000000002FA14000-memory.dmpFilesize
12KB
-
memory/476-56-0x0000000071261000-0x0000000071263000-memory.dmpFilesize
8KB
-
memory/476-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/856-58-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/896-83-0x0000000000D40000-0x0000000000D62000-memory.dmpFilesize
136KB
-
memory/896-85-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/896-86-0x0000000000970000-0x0000000000A00000-memory.dmpFilesize
576KB
-
memory/896-84-0x0000000000070000-0x0000000000099000-memory.dmpFilesize
164KB
-
memory/896-81-0x0000000000000000-mapping.dmp
-
memory/1088-78-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1088-79-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/1088-75-0x000000000041D4E0-mapping.dmp
-
memory/1088-74-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1264-80-0x0000000006BD0000-0x0000000006CD9000-memory.dmpFilesize
1.0MB
-
memory/1264-89-0x0000000006EA0000-0x0000000006FE6000-memory.dmpFilesize
1.3MB
-
memory/1264-91-0x000007FEF5FA0000-0x000007FEF60E3000-memory.dmpFilesize
1.3MB
-
memory/1264-92-0x000007FECDDE0000-0x000007FECDDEA000-memory.dmpFilesize
40KB
-
memory/1368-82-0x0000000000000000-mapping.dmp
-
memory/1572-63-0x0000000000000000-mapping.dmp
-
memory/1880-68-0x0000000000000000-mapping.dmp