Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Payment Advice.xlsx
Resource
win10v2004-en-20220113
General
-
Target
Payment Advice.xlsx
-
Size
187KB
-
MD5
dc01121346f71cb161d7f643235effd1
-
SHA1
4d0e5c5a56a86d049e815e1c8939066aea4fc592
-
SHA256
17f71f787c12cec37909e4355791ab91c28710248769c1b39a1ac819c04c3d8a
-
SHA512
fdcdfa5c44cfb776b2ffa11d200c14fccc3b8d25611bc93e40e87583ce953f3e156fbfcb2dcdb0447e64a3d43a1573023199b65af5eb82d48bc0998115b30b4b
Malware Config
Extracted
xloader
2.5
o6tg
turkscaicosonline.com
novelfoodtech.com
zgrmfww.com
gestionalcliente24hrs.store
postrojka.com
tapissier-uzes.com
tobytram.one
preamblegames.com
clicklinkzs.com
franksenen.com
beautygateway.net
foils-online.com
aout.us
promarkoperations.com
alignatura.com
changemylifefast.info
minbex.icu
internethustlersociety.com
chinacqn.com
fibsh.com
878971.com
diy-shisha.com
smarthomesecurity.online
orimsglow.com
platterwax.xyz
ipinksheets.com
robertatoschi.com
mieventi.com
qumuras.info
anyoneh.com
lovegasboutique.com
elimchambers.com
nanopicomedia.com
getoken.net
thechristmaslightingstore.com
progressivecapital.net
ott-leszek.com
flaneur.city
srikrishnadental.com
bantasis.com
forhims.jobs
sscmdpt.com
americanpawnaz.com
greatdayplumbing.com
skinstorecenter.com
chaoticcomicscrafts.com
farhadhossain.us
c-soi.com
http01.com
tjweifukeji.com
controldatasa.com
fitlearningphoenix.solutions
polecatroofing.com
xrxgqf.website
helmettips.com
caesarscasiono.com
dmfcommercialrealty.com
risecards.com
energycolumbus.com
slot138gacor.com
votenoahring.com
trigatefinancial.com
cuework.com
victorianalpine.com
makvik.online
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-72-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1608-80-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1240-85-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 552 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exexbtzqwy.exexbtzqwy.exepid process 1036 vbc.exe 1504 xbtzqwy.exe 1608 xbtzqwy.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvbc.exexbtzqwy.exepid process 552 EQNEDT32.EXE 552 EQNEDT32.EXE 552 EQNEDT32.EXE 1036 vbc.exe 1036 vbc.exe 1504 xbtzqwy.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
xbtzqwy.exexbtzqwy.execmd.exedescription pid process target process PID 1504 set thread context of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1608 set thread context of 1412 1608 xbtzqwy.exe Explorer.EXE PID 1608 set thread context of 1412 1608 xbtzqwy.exe Explorer.EXE PID 1240 set thread context of 1412 1240 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1636 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
xbtzqwy.execmd.exepid process 1608 xbtzqwy.exe 1608 xbtzqwy.exe 1608 xbtzqwy.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe 1240 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
xbtzqwy.execmd.exepid process 1608 xbtzqwy.exe 1608 xbtzqwy.exe 1608 xbtzqwy.exe 1608 xbtzqwy.exe 1240 cmd.exe 1240 cmd.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
xbtzqwy.exeExplorer.EXEcmd.exedescription pid process Token: SeDebugPrivilege 1608 xbtzqwy.exe Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeDebugPrivilege 1240 cmd.exe Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1636 EXCEL.EXE 1636 EXCEL.EXE 1636 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exexbtzqwy.exeExplorer.EXEcmd.exedescription pid process target process PID 552 wrote to memory of 1036 552 EQNEDT32.EXE vbc.exe PID 552 wrote to memory of 1036 552 EQNEDT32.EXE vbc.exe PID 552 wrote to memory of 1036 552 EQNEDT32.EXE vbc.exe PID 552 wrote to memory of 1036 552 EQNEDT32.EXE vbc.exe PID 1036 wrote to memory of 1504 1036 vbc.exe xbtzqwy.exe PID 1036 wrote to memory of 1504 1036 vbc.exe xbtzqwy.exe PID 1036 wrote to memory of 1504 1036 vbc.exe xbtzqwy.exe PID 1036 wrote to memory of 1504 1036 vbc.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1504 wrote to memory of 1608 1504 xbtzqwy.exe xbtzqwy.exe PID 1412 wrote to memory of 1240 1412 Explorer.EXE cmd.exe PID 1412 wrote to memory of 1240 1412 Explorer.EXE cmd.exe PID 1412 wrote to memory of 1240 1412 Explorer.EXE cmd.exe PID 1412 wrote to memory of 1240 1412 Explorer.EXE cmd.exe PID 1240 wrote to memory of 1912 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1912 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1912 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1912 1240 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exeC:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exeC:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mxfvylv3nr1jewbbtgjMD5
dc04ad8e4791cf708485b7f60a473b86
SHA122132be7a1ec306b1f64160f8ad60a356fd32a97
SHA25678f28dfbd256f5e157b5283dc8f69cde31a009921dc71e746dd5214657e792e4
SHA5120bf9b150a250d7905c0827140a44e6275edbcbdf269e68ca7076b583b3fc7e934c2c547b4466da0dbb2bad359c512c2d3108bb907f98211e96b4ee3b64ed204a
-
C:\Users\Admin\AppData\Local\Temp\qawjdMD5
ec1e2c88be91e24c2a50a0a09ef4037c
SHA105948db24552f61edfc0968e3a0cd8e259c8a8da
SHA256116f73a63062c31e54f19d2733b223b9e47c4a998806fb2e9266d22d069311d0
SHA51271a1beaaa8d1afd70b5aa1aa045f1e6c9d2f609ecf96379bdc08c6208ed049d1e62317129893302089120f48a08678dcd87f0030d926361d65e81cdd2082fff7
-
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
C:\Users\Public\vbc.exeMD5
e0f1e3b823d0cddfa31461ab72ea9406
SHA1d13ac912867e46b4a88abc1ea35516fc95759a96
SHA256af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA51257b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0
-
C:\Users\Public\vbc.exeMD5
e0f1e3b823d0cddfa31461ab72ea9406
SHA1d13ac912867e46b4a88abc1ea35516fc95759a96
SHA256af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA51257b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0
-
\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
\Users\Admin\AppData\Local\Temp\xbtzqwy.exeMD5
b5e54ee9c196c5dc3327426f2f883771
SHA1940df73d290c823bdb8f2d91f034e30ab5efe895
SHA256ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
SHA512b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405
-
\Users\Public\vbc.exeMD5
e0f1e3b823d0cddfa31461ab72ea9406
SHA1d13ac912867e46b4a88abc1ea35516fc95759a96
SHA256af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA51257b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0
-
\Users\Public\vbc.exeMD5
e0f1e3b823d0cddfa31461ab72ea9406
SHA1d13ac912867e46b4a88abc1ea35516fc95759a96
SHA256af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA51257b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0
-
\Users\Public\vbc.exeMD5
e0f1e3b823d0cddfa31461ab72ea9406
SHA1d13ac912867e46b4a88abc1ea35516fc95759a96
SHA256af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA51257b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0
-
memory/552-58-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB
-
memory/1240-87-0x0000000001DF0000-0x0000000001E80000-memory.dmpFilesize
576KB
-
memory/1240-86-0x0000000001E90000-0x0000000002193000-memory.dmpFilesize
3.0MB
-
memory/1240-85-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1240-84-0x000000004A900000-0x000000004A94C000-memory.dmpFilesize
304KB
-
memory/1412-88-0x0000000009B10000-0x0000000009C60000-memory.dmpFilesize
1.3MB
-
memory/1412-83-0x0000000007670000-0x00000000077A4000-memory.dmpFilesize
1.2MB
-
memory/1412-79-0x0000000007200000-0x000000000734A000-memory.dmpFilesize
1.3MB
-
memory/1504-74-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1608-78-0x0000000000330000-0x0000000000341000-memory.dmpFilesize
68KB
-
memory/1608-76-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1608-80-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1608-81-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1608-82-0x0000000000380000-0x0000000000391000-memory.dmpFilesize
68KB
-
memory/1608-77-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1608-72-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1636-55-0x0000000071BA1000-0x0000000071BA3000-memory.dmpFilesize
8KB
-
memory/1636-54-0x000000002FC51000-0x000000002FC54000-memory.dmpFilesize
12KB
-
memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-57-0x0000000072B8D000-0x0000000072B98000-memory.dmpFilesize
44KB
-
memory/1636-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB