Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 13:15
Static task
static1
Behavioral task
behavioral1
Sample
Order Confirmation nr. 2021-O-1274.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order Confirmation nr. 2021-O-1274.xlsx
Resource
win10-en-20211208
General
-
Target
Order Confirmation nr. 2021-O-1274.xlsx
-
Size
797KB
-
MD5
f2c6d74d9faa8dd958dbd50101a95792
-
SHA1
489079097bc05626dccd8d6079e925079305ca43
-
SHA256
0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26
-
SHA512
43183d5b1bd787789ffd40d323b1f236c246ddabcbde366671c34d7b733fb94c470839c9810d7cd4f0338ea235052b7c860e9ec1b15a1b8c414e7aec3b86ed2e
Malware Config
Extracted
xloader
2.5
fqiq
http://www.esyscoloradosprings.com/fqiq/
driventow.com
ipatchwork.today
bolder.equipment
seal-brother.com
mountlaketerraceapartments.com
weeden.xyz
sanlifalan.com
athafood.com
isshinn1.com
creationslazzaroni.com
eclecticrenaissancewoman.com
satellitephonstore.com
cotchildcare.com
yamacorp.digital
ff4cuno43.xyz
quicksticks.community
govindfinance.com
farmersfirstseed.com
megacinema.club
tablescaperendezvous4two.com
ecarehomes.com
floaterslaser.com
benisano.com
saint444.com
thedusi.com
avafxtrade.online
hanenosuke.com
suntioil4u.com
healthyweekendtips.com
24000words.com
ofbchina.net
begukiu0.info
wolmoda.com
mask60.com
4bellemaison.com
mambacustomboats.com
sedsn.com
doggycc.com
kangrungao.com
pharmacistcharisma.com
passiverewardssystems.com
qywyfeo8.xyz
shenjiclass.com
rdoi.top
lavishbynovell.com
fleetton.com
hillcresthomegroup.com
hartfulcleaning.com
srofkansas.com
applebroog.industries
phillytrainers.com
dmc--llc.com
sosoon.store
daysyou.com
controldatasa.com
markarge.com
hirayaawards.com
clinicscluster.com
sophiagunterman.art
kirtansangeet.com
residential.insure
ribbonofficial.com
qianhaijcc.com
fytvankin.quest
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1632-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1632-68-0x000000000041D4B0-mapping.dmp xloader behavioral1/memory/1728-76-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 776 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1060 vbc.exe 1632 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 776 EQNEDT32.EXE 776 EQNEDT32.EXE 776 EQNEDT32.EXE 1060 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmd.exedescription pid process target process PID 1060 set thread context of 1632 1060 vbc.exe vbc.exe PID 1632 set thread context of 1380 1632 vbc.exe Explorer.EXE PID 1728 set thread context of 1380 1728 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1320 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.execmd.exepid process 1632 vbc.exe 1632 vbc.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe 1728 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmd.exepid process 1632 vbc.exe 1632 vbc.exe 1632 vbc.exe 1728 cmd.exe 1728 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1632 vbc.exe Token: SeDebugPrivilege 1728 cmd.exe Token: SeShutdownPrivilege 1380 Explorer.EXE Token: SeShutdownPrivilege 1380 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1320 EXCEL.EXE 1320 EXCEL.EXE 1320 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmd.exedescription pid process target process PID 776 wrote to memory of 1060 776 EQNEDT32.EXE vbc.exe PID 776 wrote to memory of 1060 776 EQNEDT32.EXE vbc.exe PID 776 wrote to memory of 1060 776 EQNEDT32.EXE vbc.exe PID 776 wrote to memory of 1060 776 EQNEDT32.EXE vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1060 wrote to memory of 1632 1060 vbc.exe vbc.exe PID 1380 wrote to memory of 1728 1380 Explorer.EXE cmd.exe PID 1380 wrote to memory of 1728 1380 Explorer.EXE cmd.exe PID 1380 wrote to memory of 1728 1380 Explorer.EXE cmd.exe PID 1380 wrote to memory of 1728 1380 Explorer.EXE cmd.exe PID 1728 wrote to memory of 2016 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2016 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2016 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2016 1728 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order Confirmation nr. 2021-O-1274.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
C:\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
C:\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
\Users\Admin\AppData\Local\Temp\nso1BEB.tmp\jgreidrjri.dllMD5
78764ab85602e39626fd7f3d2c9373ba
SHA1c371ccdaf7a1698e8b670be64e4e0cd27ccd1cc8
SHA25618cdad7be023dd68dbdedc9eca90535f3a1ed81636d3383098eb56a7307f13a4
SHA512e4a2e3af904d6bd9e8d5d7ea0016fa2b4fa5320d9079c772813a95920406e0f03a1ea81533a5152a48667ef48eabc9f3792ac918b127c494edbb3b7c5fec7076
-
\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
\Users\Public\vbc.exeMD5
02e92cd81e96503e161af2816aceeca6
SHA1ae3badc4e7dc0cac71d93e12b9b6349afd12eab5
SHA2562da5894ddf4a54f105d7a36e1e8940b00313b16ccaa74f270c542ed140247386
SHA512ae53bf892eb23e49f951d95e6089044a00d24fcc97e251717358ec55b53cb7500720fdc1ea554ed402c58dfa9d2995b9f1cd974d1f80dc655cf34203647c9ea4
-
memory/776-58-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB
-
memory/1060-62-0x0000000000000000-mapping.dmp
-
memory/1320-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-81-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-55-0x000000002FD01000-0x000000002FD04000-memory.dmpFilesize
12KB
-
memory/1320-56-0x0000000070C81000-0x0000000070C83000-memory.dmpFilesize
8KB
-
memory/1380-73-0x0000000007200000-0x00000000073A9000-memory.dmpFilesize
1.7MB
-
memory/1380-80-0x0000000008F10000-0x0000000009045000-memory.dmpFilesize
1.2MB
-
memory/1632-68-0x000000000041D4B0-mapping.dmp
-
memory/1632-72-0x0000000000580000-0x0000000000591000-memory.dmpFilesize
68KB
-
memory/1632-71-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1632-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1728-74-0x0000000000000000-mapping.dmp
-
memory/1728-75-0x000000004A410000-0x000000004A45C000-memory.dmpFilesize
304KB
-
memory/1728-78-0x0000000001ED0000-0x00000000021D3000-memory.dmpFilesize
3.0MB
-
memory/1728-76-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1728-79-0x0000000001E20000-0x0000000001EB0000-memory.dmpFilesize
576KB
-
memory/2016-77-0x0000000000000000-mapping.dmp