Analysis
-
max time kernel
154s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 10:05
Static task
static1
Behavioral task
behavioral1
Sample
NIS10539.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NIS10539.xlsx
Resource
win10v2004-en-20220112
General
-
Target
NIS10539.xlsx
-
Size
187KB
-
MD5
a7968f4591d286618a93ef7e3e2a6bdf
-
SHA1
488bf2bb3e8fafe44a23bc9f2c5397a564fd6e1a
-
SHA256
069c92a79b1da93e65e632157a3024f9c308df954bd76c507ba1b52787b6c667
-
SHA512
9de64f674202e7767274c863158496eeb90492b7e26a381332af7aeeb41ca207cf0c41a394ef9da924d9c355df9fcd491ed74a92a9ba8ecd0a75f5840b2c1116
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-72-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1740-80-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 484 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exerwdiyf.exerwdiyf.exepid process 1324 vbc.exe 1404 rwdiyf.exe 1744 rwdiyf.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exerwdiyf.exepid process 484 EQNEDT32.EXE 484 EQNEDT32.EXE 484 EQNEDT32.EXE 1324 vbc.exe 1404 rwdiyf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
rwdiyf.exerwdiyf.exeNETSTAT.EXEdescription pid process target process PID 1404 set thread context of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1744 set thread context of 1200 1744 rwdiyf.exe Explorer.EXE PID 1740 set thread context of 1200 1740 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1740 NETSTAT.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1568 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
rwdiyf.exeNETSTAT.EXEpid process 1744 rwdiyf.exe 1744 rwdiyf.exe 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE 1740 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rwdiyf.exeNETSTAT.EXEpid process 1744 rwdiyf.exe 1744 rwdiyf.exe 1744 rwdiyf.exe 1740 NETSTAT.EXE 1740 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
rwdiyf.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1744 rwdiyf.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 1740 NETSTAT.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1568 EXCEL.EXE 1568 EXCEL.EXE 1568 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exerwdiyf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 484 wrote to memory of 1324 484 EQNEDT32.EXE vbc.exe PID 484 wrote to memory of 1324 484 EQNEDT32.EXE vbc.exe PID 484 wrote to memory of 1324 484 EQNEDT32.EXE vbc.exe PID 484 wrote to memory of 1324 484 EQNEDT32.EXE vbc.exe PID 1324 wrote to memory of 1404 1324 vbc.exe rwdiyf.exe PID 1324 wrote to memory of 1404 1324 vbc.exe rwdiyf.exe PID 1324 wrote to memory of 1404 1324 vbc.exe rwdiyf.exe PID 1324 wrote to memory of 1404 1324 vbc.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1404 wrote to memory of 1744 1404 rwdiyf.exe rwdiyf.exe PID 1200 wrote to memory of 1740 1200 Explorer.EXE NETSTAT.EXE PID 1200 wrote to memory of 1740 1200 Explorer.EXE NETSTAT.EXE PID 1200 wrote to memory of 1740 1200 Explorer.EXE NETSTAT.EXE PID 1200 wrote to memory of 1740 1200 Explorer.EXE NETSTAT.EXE PID 1740 wrote to memory of 1792 1740 NETSTAT.EXE cmd.exe PID 1740 wrote to memory of 1792 1740 NETSTAT.EXE cmd.exe PID 1740 wrote to memory of 1792 1740 NETSTAT.EXE cmd.exe PID 1740 wrote to memory of 1792 1740 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NIS10539.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe"3⤵PID:1792
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeC:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeC:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nunhgnmMD5
cec6479860914540d21176850b1c4b21
SHA1534b76d286f97b9477e7892bb05701172efc1c71
SHA2567b1106f7bf77968581f2db4c06ba833ede929959074eee1ce8f10185e61a05e3
SHA5126503f223f2e70476fd78e2ddf05e71b218900276873af6c41db9ef8f8807ce2f77c423723b794b8a72b0369575c221ecde1060aa9250c2ad49f3795a97f9014c
-
C:\Users\Admin\AppData\Local\Temp\ognhs6i1h2plg3ur68sMD5
798e35236d03021934f922ea41b06c32
SHA1ae4c1656c9d0c4ca6bcc914bd46458688b46ff58
SHA2567c6022ef98927ad13596d6106074f2ef4cab883925e5df6d7ad1c578cc772ab0
SHA512f992596c6a99e540420347d231c7fe2991e7d140677a5d5645209b892385320c69e6729f3b437c56f34f57414562bd80ae9bcf7b52d3c7c9ca44c4f4037fbb8b
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Public\vbc.exeMD5
fea1c9fccf1292d9fd2c048f0fa767e3
SHA1790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
SHA2561ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
SHA5123ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
-
C:\Users\Public\vbc.exeMD5
fea1c9fccf1292d9fd2c048f0fa767e3
SHA1790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
SHA2561ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
SHA5123ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
-
\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
\Users\Public\vbc.exeMD5
fea1c9fccf1292d9fd2c048f0fa767e3
SHA1790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
SHA2561ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
SHA5123ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
-
\Users\Public\vbc.exeMD5
fea1c9fccf1292d9fd2c048f0fa767e3
SHA1790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
SHA2561ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
SHA5123ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
-
\Users\Public\vbc.exeMD5
fea1c9fccf1292d9fd2c048f0fa767e3
SHA1790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
SHA2561ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
SHA5123ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
-
memory/484-58-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1200-83-0x0000000003F30000-0x0000000004021000-memory.dmpFilesize
964KB
-
memory/1200-78-0x0000000004B20000-0x0000000004BD5000-memory.dmpFilesize
724KB
-
memory/1568-57-0x000000007219D000-0x00000000721A8000-memory.dmpFilesize
44KB
-
memory/1568-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1568-54-0x000000002F311000-0x000000002F314000-memory.dmpFilesize
12KB
-
memory/1568-55-0x00000000711B1000-0x00000000711B3000-memory.dmpFilesize
8KB
-
memory/1568-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-81-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1740-82-0x0000000001DC0000-0x0000000001E50000-memory.dmpFilesize
576KB
-
memory/1740-79-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/1740-80-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1744-72-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1744-77-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/1744-76-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1744-74-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB