Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Invoice.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Payment_Invoice.xlsx
Resource
win10-en-20211208
General
-
Target
Payment_Invoice.xlsx
-
Size
187KB
-
MD5
9f7d77c54d5ffa49ac561bb1f5706699
-
SHA1
c5c461a81a820bd32375ff1635c98b37386b4135
-
SHA256
2b62e99e383cc9acbcdc1db544934279d1584ab113e85b4453a04cb70b64ad96
-
SHA512
5e2c4402dbdbc8dcbd3d9f4aaad8c3e9b9423f003d9279a3102d20e3c7ce1dd971a09f14597129e3cd4717d7adbdb76177833547c935afb4a3076fc12933de30
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1064-71-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1144-76-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1476 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1708 vbc.exe 1064 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1476 EQNEDT32.EXE 1708 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.execmstp.exedescription pid process target process PID 1708 set thread context of 1064 1708 vbc.exe vbc.exe PID 1064 set thread context of 1372 1064 vbc.exe Explorer.EXE PID 1064 set thread context of 1372 1064 vbc.exe Explorer.EXE PID 1144 set thread context of 1372 1144 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1292 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.execmstp.exepid process 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe 1144 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.execmstp.exepid process 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1144 cmstp.exe 1144 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
vbc.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 1064 vbc.exe Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeDebugPrivilege 1144 cmstp.exe Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 1292 EXCEL.EXE 1292 EXCEL.EXE 1292 EXCEL.EXE 1292 EXCEL.EXE 1292 EXCEL.EXE 1292 EXCEL.EXE 1292 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exedescription pid process target process PID 1476 wrote to memory of 1708 1476 EQNEDT32.EXE vbc.exe PID 1476 wrote to memory of 1708 1476 EQNEDT32.EXE vbc.exe PID 1476 wrote to memory of 1708 1476 EQNEDT32.EXE vbc.exe PID 1476 wrote to memory of 1708 1476 EQNEDT32.EXE vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1708 wrote to memory of 1064 1708 vbc.exe vbc.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe PID 1064 wrote to memory of 1144 1064 vbc.exe cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Payment_Invoice.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f52e6227038fd13f5351dff792517096
SHA1026dbec6438da97c15811b329f474aac503aa47f
SHA25676206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
SHA512daef7b5ae4070a6b315227a6c0d6b00b54b2302280c6c11c86425ae09cf1816520e8726ec14bd32041a63d5bd9b98d395be1fe25f653465e97a1e8d214c36457
-
C:\Users\Public\vbc.exeMD5
f52e6227038fd13f5351dff792517096
SHA1026dbec6438da97c15811b329f474aac503aa47f
SHA25676206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
SHA512daef7b5ae4070a6b315227a6c0d6b00b54b2302280c6c11c86425ae09cf1816520e8726ec14bd32041a63d5bd9b98d395be1fe25f653465e97a1e8d214c36457
-
C:\Users\Public\vbc.exeMD5
f52e6227038fd13f5351dff792517096
SHA1026dbec6438da97c15811b329f474aac503aa47f
SHA25676206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
SHA512daef7b5ae4070a6b315227a6c0d6b00b54b2302280c6c11c86425ae09cf1816520e8726ec14bd32041a63d5bd9b98d395be1fe25f653465e97a1e8d214c36457
-
\Users\Admin\AppData\Local\Temp\nsyC100.tmp\vdkhvaaf.dllMD5
22a24d63a7b29cd5e2c1ee006f9804e1
SHA19e8c02cf0c2af9a608f04261952478641149846c
SHA25692a63ebf358a3b9b4a6b0dfe68fecb20ae91e7eac78aa3c686566842ca5c72c7
SHA512c10d3babef73ff5afde5999627217e718476b7b9b38dda0174b3aaaec9b4b6e14bbff494b3a997acee57825126ea9ee37293209ae4ccda7bb7cb3d0126f51415
-
\Users\Public\vbc.exeMD5
f52e6227038fd13f5351dff792517096
SHA1026dbec6438da97c15811b329f474aac503aa47f
SHA25676206cfe9c2933e343b7650e368175a1a94b5f25927685e0b3fa5f317696e073
SHA512daef7b5ae4070a6b315227a6c0d6b00b54b2302280c6c11c86425ae09cf1816520e8726ec14bd32041a63d5bd9b98d395be1fe25f653465e97a1e8d214c36457
-
memory/1064-68-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/1064-69-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1064-72-0x00000000003A0000-0x00000000003B1000-memory.dmpFilesize
68KB
-
memory/1064-65-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1064-71-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1144-77-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1144-75-0x0000000000DD0000-0x0000000000DE8000-memory.dmpFilesize
96KB
-
memory/1144-76-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1144-78-0x0000000000A30000-0x0000000000AC0000-memory.dmpFilesize
576KB
-
memory/1292-55-0x000000002F851000-0x000000002F854000-memory.dmpFilesize
12KB
-
memory/1292-56-0x0000000071B01000-0x0000000071B03000-memory.dmpFilesize
8KB
-
memory/1292-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1292-58-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1292-80-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1372-70-0x0000000006FD0000-0x000000000713A000-memory.dmpFilesize
1.4MB
-
memory/1372-73-0x00000000072B0000-0x00000000073B1000-memory.dmpFilesize
1.0MB
-
memory/1372-79-0x0000000008F70000-0x000000000908E000-memory.dmpFilesize
1.1MB