formbook | ff4e17d62ce9c71164879418e7942cecf8db37b16cb66adebc6c2570840f8524

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-en-20211104
submitted
25-11-2021 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Details.xlsx
Size

229KB
MD5

f49e322b837835ac60cad8c173ecff31
SHA1

c7cddfbf865b528d1bbbbe5c5f3974279cc8b6f5
SHA256

ff4e17d62ce9c71164879418e7942cecf8db37b16cb66adebc6c2570840f8524
SHA512

c5ce7feb4a44d0a3c0ba17c1104d599409c66c1a36e68f382df9048e18f02349c16cf4de21437f988e4779ce56847b9574dd83562dd1239bc88358922e2826b9

Score

10^/10

formbook g2fg rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

http://www.blancheshelley.xyz/g2fg/

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1596-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1596-80-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/1192-82-0x00000000022A0000-0x0000000002EEA000-memory.dmp	formbook
behavioral1/memory/876-91-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1632 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1544 vbc.exe
1352 vbc.exe
1596 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1632 EQNEDT32.EXE
1632 EQNEDT32.EXE
1632 EQNEDT32.EXE
1632 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	1632	EQNEDT32.EXE

pid	process
1632	EQNEDT32.EXE
1632	EQNEDT32.EXE
1632	EQNEDT32.EXE
1632	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exewlanext.exe

description	pid	process	target process
PID 1544 set thread context of 1596	1544	vbc.exe	vbc.exe
PID 1596 set thread context of 1384	1596	vbc.exe	Explorer.EXE
PID 876 set thread context of 1384	876	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

896 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1632 EQNEDT32.EXE

pid	process
896	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1632	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1444 EXCEL.EXE

pid	process
1444	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

vbc.exevbc.exepowershell.exewlanext.exe

pid	process
1544	vbc.exe
1544	vbc.exe
1596	vbc.exe
1596	vbc.exe
1192	powershell.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe
876	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exewlanext.exe

pid process

1596 vbc.exe
1596 vbc.exe
1596 vbc.exe
876 wlanext.exe
876 wlanext.exe

pid	process
1384	Explorer.EXE

pid	process
1596	vbc.exe
1596	vbc.exe
1596	vbc.exe
876	wlanext.exe
876	wlanext.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exepowershell.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1544	vbc.exe
Token: SeDebugPrivilege	1596	vbc.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	876	wlanext.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1444 EXCEL.EXE
1444 EXCEL.EXE
1444 EXCEL.EXE

pid	process
1444	EXCEL.EXE
1444	EXCEL.EXE
1444	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1632 wrote to memory of 1544	1632	EQNEDT32.EXE	vbc.exe
PID 1632 wrote to memory of 1544	1632	EQNEDT32.EXE	vbc.exe
PID 1632 wrote to memory of 1544	1632	EQNEDT32.EXE	vbc.exe
PID 1632 wrote to memory of 1544	1632	EQNEDT32.EXE	vbc.exe
PID 1544 wrote to memory of 1192	1544	vbc.exe	powershell.exe
PID 1544 wrote to memory of 1192	1544	vbc.exe	powershell.exe
PID 1544 wrote to memory of 1192	1544	vbc.exe	powershell.exe
PID 1544 wrote to memory of 1192	1544	vbc.exe	powershell.exe
PID 1544 wrote to memory of 896	1544	vbc.exe	schtasks.exe
PID 1544 wrote to memory of 896	1544	vbc.exe	schtasks.exe
PID 1544 wrote to memory of 896	1544	vbc.exe	schtasks.exe
PID 1544 wrote to memory of 896	1544	vbc.exe	schtasks.exe
PID 1544 wrote to memory of 1352	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1352	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1352	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1352	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1596	1544	vbc.exe	vbc.exe
PID 1384 wrote to memory of 876	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 876	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 876	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 876	1384	Explorer.EXE	wlanext.exe
PID 876 wrote to memory of 1668	876	wlanext.exe	cmd.exe
PID 876 wrote to memory of 1668	876	wlanext.exe	cmd.exe
PID 876 wrote to memory of 1668	876	wlanext.exe	cmd.exe
PID 876 wrote to memory of 1668	876	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Details.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1668

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OmnbtuhFsJys.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B7D.tmp"
3⤵
- Creates scheduled task(s)
PID:896

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1352

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8B7D.tmp
MD5
3030641165952bf3bc67953295c86c6a

SHA1
616cd4ccfc7f488ddedc39eea5425952db421002

SHA256
5a9b6f8346681846a8192cca6ddb635a482138fdf674fe3a38a02754e4941c7f

SHA512
f15b6d9481024a0c0916ed223fca9aafb083ddc546a741e1b435d6a78e67d32fc4f9b55fade447e32c1b15afa07e8db3665866d6862e4131d3d126a53274a6e3

Download Submit
C:\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
C:\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
C:\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
C:\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
\Users\Public\vbc.exe
MD5
0f88779e9500075de85e916637305164

SHA1
ee1b3af259e9f03239441681f00aaddd28e4e8fb

SHA256
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238

SHA512
adefee155a0579da0dc75e4aff162635338150a884ddddf47c732a67d69e2f56471cddd64a7cffb743defc040185ce146b713c6511b3dac709d4956e2d30ea31

Download Submit
memory/876-89-0x0000000000000000-mapping.dmp

Download
memory/876-94-0x0000000000550000-0x00000000005E3000-memory.dmp

Filesize
588KB

Download
memory/876-91-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/876-93-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/876-90-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/896-73-0x0000000000000000-mapping.dmp

Download
memory/1192-72-0x0000000000000000-mapping.dmp

Download
memory/1192-88-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1192-84-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1192-82-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1384-95-0x00000000069B0000-0x0000000006A8E000-memory.dmp

Filesize
888KB

Download
memory/1384-87-0x0000000006E80000-0x0000000006FE3000-memory.dmp

Filesize
1.4MB

Download
memory/1444-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1444-56-0x0000000071A81000-0x0000000071A83000-memory.dmp

Filesize
8KB

Download
memory/1444-55-0x000000002FA61000-0x000000002FA64000-memory.dmp

Filesize
12KB

Download
memory/1444-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1544-69-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1544-63-0x0000000000000000-mapping.dmp

Download
memory/1544-71-0x0000000005130000-0x00000000051AE000-memory.dmp

Filesize
504KB

Download
memory/1544-70-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1544-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1596-85-0x0000000000D60000-0x0000000001063000-memory.dmp

Filesize
3.0MB

Download
memory/1596-86-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1596-80-0x000000000041F160-mapping.dmp

Download
memory/1596-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-58-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/1668-92-0x0000000000000000-mapping.dmp

Download