Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Quotation.xlsx
Resource
win10-en-20211208
General
-
Target
Quotation.xlsx
-
Size
176KB
-
MD5
fbabc7960bfc286e617f03b4afc97f91
-
SHA1
2835e9b293dff1d61096a7f6d44c068e2a8c1eb4
-
SHA256
43dfdf1d47b81747c11e3340969201c90ea08b7d25505c292cb3dfcedfc89df4
-
SHA512
b54765759169ff14f8945ae995ecd5a40663f78acf556d70c640c167d1dd9241f6d3dca9c265fb3adbad5e5adc65772763ab0ffe04df609f73d9bbb4b6d43471
Malware Config
Extracted
formbook
4.1
g2fg
snowcrash.website
pointman.us
newheartvalve.care
drandl.com
sandspringsramblers.com
programagubernamental.online
boja.us
mvrsnike.com
mentallyillmotherhood.com
facom.us
programagubernamental.store
izivente.com
roller-v.fr
amazonbioactives.com
metaverseapple.xyz
5gt-mobilevsverizon.com
gtwebsolutions.co
scottdunn.life
usdp.trade
pikmin.run
cardano-dogs.com
bf2hgfy.xyz
teslafoot.com
rubertquintana.com
wellsfargroewards.com
santel.us
couponatonline.com
theunitedhomeland.com
pmstnly.com
strlocal.com
shelleysmucker.com
youser.online
emansdesign.com
usnikeshoesbot.top
starfish.press
scotwork.us
metamorgana.com
onyxbx.net
rivas.company
firstcoastalfb.com
onpurposetraumainformedcare.com
celimot.xyz
jecunikepemej.rest
lenovolatenightit.com
unitedsterlingcompanyky.com
safety2venture.us
facebookismetanow.com
scottdunn.review
mentallyillmotherhood.com
firstincargo.com
vikavivi.com
investmenofpairs.club
nexans.cloud
farcloud.fr
ivermectinforhumans.quest
5gmalesdf.sbs
majenta.info
6vvvvvwmetam.top
metafirstclass.com
firstcoinnews.com
btcetffutures.online
funinfortmyers.com
mangoirslk.top
metaversebasicprivacy.com
blancheshelley.xyz
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/916-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1600-86-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/1600-88-0x00000000007F0000-0x0000000002111000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1376 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1984 vbc.exe 916 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1376 EQNEDT32.EXE 1376 EQNEDT32.EXE 1376 EQNEDT32.EXE 1376 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeexplorer.exedescription pid process target process PID 1984 set thread context of 916 1984 vbc.exe vbc.exe PID 916 set thread context of 1416 916 vbc.exe Explorer.EXE PID 1600 set thread context of 1416 1600 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1660 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.exepowershell.exeexplorer.exepid process 916 vbc.exe 916 vbc.exe 1488 powershell.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeexplorer.exepid process 916 vbc.exe 916 vbc.exe 916 vbc.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
vbc.exepowershell.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 916 vbc.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 1600 explorer.exe Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1660 EXCEL.EXE 1660 EXCEL.EXE 1660 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEexplorer.exedescription pid process target process PID 1376 wrote to memory of 1984 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 1984 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 1984 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 1984 1376 EQNEDT32.EXE vbc.exe PID 1984 wrote to memory of 1488 1984 vbc.exe powershell.exe PID 1984 wrote to memory of 1488 1984 vbc.exe powershell.exe PID 1984 wrote to memory of 1488 1984 vbc.exe powershell.exe PID 1984 wrote to memory of 1488 1984 vbc.exe powershell.exe PID 1984 wrote to memory of 1372 1984 vbc.exe schtasks.exe PID 1984 wrote to memory of 1372 1984 vbc.exe schtasks.exe PID 1984 wrote to memory of 1372 1984 vbc.exe schtasks.exe PID 1984 wrote to memory of 1372 1984 vbc.exe schtasks.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1984 wrote to memory of 916 1984 vbc.exe vbc.exe PID 1416 wrote to memory of 1600 1416 Explorer.EXE explorer.exe PID 1416 wrote to memory of 1600 1416 Explorer.EXE explorer.exe PID 1416 wrote to memory of 1600 1416 Explorer.EXE explorer.exe PID 1416 wrote to memory of 1600 1416 Explorer.EXE explorer.exe PID 1600 wrote to memory of 676 1600 explorer.exe cmd.exe PID 1600 wrote to memory of 676 1600 explorer.exe cmd.exe PID 1600 wrote to memory of 676 1600 explorer.exe cmd.exe PID 1600 wrote to memory of 676 1600 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SjnJDaeyWUC.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SjnJDaeyWUC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmpMD5
3cc777f730efe0c74f96ad63b9836fd6
SHA174134318d64144f6a206660ac0dfb4e87fd9e663
SHA2564b25127f91d5aa225fb0494a3a63385b2181575f71ad32f9bcafb94fd214e2ea
SHA5127da407f2cb4afb07ff2fba84e64f08f735eb3231212506dbb845c575d6970b02a66834b67bd8bbd1987e54110f51bd008f621533e7f0bbe2cdb46f2c48468805
-
C:\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
C:\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
C:\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
\Users\Public\vbc.exeMD5
cdc3220cc6be8eb55796d538a32233d8
SHA144a4112f85212f4be348c42710009fcec6337063
SHA2567a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
SHA51219a87701c03cce8056b361169526c830aad391ffea85849d1d69186354f032446126dcd373e11ea7d2b62dcde8bb84f8fd22f53e92d7b2a7f91bf170d98ef02b
-
memory/916-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/916-72-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/916-78-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/916-77-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/916-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1416-89-0x0000000003D50000-0x0000000003DED000-memory.dmpFilesize
628KB
-
memory/1416-80-0x0000000007130000-0x000000000728C000-memory.dmpFilesize
1.4MB
-
memory/1488-82-0x00000000020A2000-0x00000000020A4000-memory.dmpFilesize
8KB
-
memory/1488-79-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/1488-81-0x00000000020A1000-0x00000000020A2000-memory.dmpFilesize
4KB
-
memory/1600-84-0x0000000068E71000-0x0000000068E73000-memory.dmpFilesize
8KB
-
memory/1600-88-0x00000000007F0000-0x0000000002111000-memory.dmpFilesize
25.1MB
-
memory/1600-87-0x0000000002420000-0x0000000002723000-memory.dmpFilesize
3.0MB
-
memory/1600-86-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1600-85-0x00000000002A0000-0x0000000000521000-memory.dmpFilesize
2.5MB
-
memory/1660-57-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1660-54-0x000000002FA01000-0x000000002FA04000-memory.dmpFilesize
12KB
-
memory/1660-55-0x0000000071551000-0x0000000071553000-memory.dmpFilesize
8KB
-
memory/1660-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1660-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1984-67-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1984-68-0x0000000000250000-0x000000000025C000-memory.dmpFilesize
48KB
-
memory/1984-69-0x0000000005850000-0x00000000058BA000-memory.dmpFilesize
424KB
-
memory/1984-65-0x0000000000BA0000-0x0000000000C7A000-memory.dmpFilesize
872KB