Analysis
-
max time kernel
4294211s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
03-03-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
FORNAX 2-Eng revised bank account.xlsx
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
FORNAX 2-Eng revised bank account.xlsx
Resource
win10v2004-en-20220113
General
-
Target
FORNAX 2-Eng revised bank account.xlsx
-
Size
185KB
-
MD5
74ba866282eb9332585ed493840c4030
-
SHA1
4fecea9cfd6a9935e7aab9e3bb3de5bc50206f4c
-
SHA256
469884179434185e1275b12bc001caaae4281a8d5698e20f57b8f7770cdfd7b1
-
SHA512
24c98f080b51c1d74d88011a09476e45b1939fc2efd396008dc77025b8a9792b875322b263606b5d6d4e71ab54f5f59bcf0057d76429d9ce1d4b708e0aed0e82
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/980-72-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/980-79-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1376-84-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 836 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exeiizlfx.exeiizlfx.exepid process 976 vbc.exe 1688 iizlfx.exe 980 iizlfx.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exeiizlfx.exepid process 836 EQNEDT32.EXE 836 EQNEDT32.EXE 836 EQNEDT32.EXE 976 vbc.exe 1688 iizlfx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
iizlfx.exeiizlfx.execmmon32.exedescription pid process target process PID 1688 set thread context of 980 1688 iizlfx.exe iizlfx.exe PID 980 set thread context of 1408 980 iizlfx.exe Explorer.EXE PID 980 set thread context of 1408 980 iizlfx.exe Explorer.EXE PID 1376 set thread context of 1408 1376 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1476 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
iizlfx.execmmon32.exepid process 980 iizlfx.exe 980 iizlfx.exe 980 iizlfx.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe 1376 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
iizlfx.execmmon32.exepid process 980 iizlfx.exe 980 iizlfx.exe 980 iizlfx.exe 980 iizlfx.exe 1376 cmmon32.exe 1376 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
iizlfx.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 980 iizlfx.exe Token: SeDebugPrivilege 1376 cmmon32.exe Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1476 EXCEL.EXE 1476 EXCEL.EXE 1476 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeiizlfx.exeiizlfx.execmmon32.exedescription pid process target process PID 836 wrote to memory of 976 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 976 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 976 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 976 836 EQNEDT32.EXE vbc.exe PID 976 wrote to memory of 1688 976 vbc.exe iizlfx.exe PID 976 wrote to memory of 1688 976 vbc.exe iizlfx.exe PID 976 wrote to memory of 1688 976 vbc.exe iizlfx.exe PID 976 wrote to memory of 1688 976 vbc.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 1688 wrote to memory of 980 1688 iizlfx.exe iizlfx.exe PID 980 wrote to memory of 1376 980 iizlfx.exe cmmon32.exe PID 980 wrote to memory of 1376 980 iizlfx.exe cmmon32.exe PID 980 wrote to memory of 1376 980 iizlfx.exe cmmon32.exe PID 980 wrote to memory of 1376 980 iizlfx.exe cmmon32.exe PID 1376 wrote to memory of 1704 1376 cmmon32.exe cmd.exe PID 1376 wrote to memory of 1704 1376 cmmon32.exe cmd.exe PID 1376 wrote to memory of 1704 1376 cmmon32.exe cmd.exe PID 1376 wrote to memory of 1704 1376 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\FORNAX 2-Eng revised bank account.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeC:\Users\Admin\AppData\Local\Temp\iizlfx.exe C:\Users\Admin\AppData\Local\Temp\ibfqtjhg3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeC:\Users\Admin\AppData\Local\Temp\iizlfx.exe C:\Users\Admin\AppData\Local\Temp\ibfqtjhg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\iizlfx.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fc81nqibepxmw1MD5
296fcc90486bd93b1a6e0593241d1c7f
SHA134c54d85fe773bf6068752501e16a5c9227d5bee
SHA2562a7dd4eaee410720ffc22a511932a3b1a2b13319f77e0085548d63010e73e18e
SHA512c29c5a7141c84a88db4e890c207a8c5f36987539b68037c82f3256ea6ef6cd679ee643344c0f028cb42c93b4e70ddb965e557dc419be4a06c91752e3157c4464
-
C:\Users\Admin\AppData\Local\Temp\ibfqtjhgMD5
ad17464f77b0864dea1025b4ca517e28
SHA18c0d2d3aea1c36f8dff24ea2467317ad9773ff68
SHA256a5a41b0b6c1032840a1bc802b29461ef67486a3f36b9d964df10e884ecba825f
SHA512e57a70fc66e2eddba4cf097d97e91fd1de2358be96f89c50a36c155916bcbba2b45f4e02d25819a84780bef2735a9fc4d1682d3b1793f7487668ef293d78c331
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
C:\Users\Public\vbc.exeMD5
8bc5cae30e499dea0d78f85c309be304
SHA195b3af264ecfec7155002f8ee9bbc46c4946e84f
SHA256ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
SHA512d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
-
C:\Users\Public\vbc.exeMD5
8bc5cae30e499dea0d78f85c309be304
SHA195b3af264ecfec7155002f8ee9bbc46c4946e84f
SHA256ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
SHA512d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
-
\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
\Users\Public\vbc.exeMD5
8bc5cae30e499dea0d78f85c309be304
SHA195b3af264ecfec7155002f8ee9bbc46c4946e84f
SHA256ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
SHA512d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
-
\Users\Public\vbc.exeMD5
8bc5cae30e499dea0d78f85c309be304
SHA195b3af264ecfec7155002f8ee9bbc46c4946e84f
SHA256ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
SHA512d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
-
\Users\Public\vbc.exeMD5
8bc5cae30e499dea0d78f85c309be304
SHA195b3af264ecfec7155002f8ee9bbc46c4946e84f
SHA256ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
SHA512d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
-
memory/836-58-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB
-
memory/980-72-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/980-79-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/980-81-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/980-80-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/980-77-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/980-76-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/980-75-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1376-83-0x0000000000E20000-0x0000000000E2D000-memory.dmpFilesize
52KB
-
memory/1376-84-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1376-85-0x0000000000AD0000-0x0000000000DD3000-memory.dmpFilesize
3.0MB
-
memory/1376-86-0x00000000008E0000-0x0000000000970000-memory.dmpFilesize
576KB
-
memory/1408-78-0x0000000004EB0000-0x0000000004FD7000-memory.dmpFilesize
1.2MB
-
memory/1408-82-0x0000000006620000-0x0000000006752000-memory.dmpFilesize
1.2MB
-
memory/1408-87-0x0000000006B00000-0x0000000006BB1000-memory.dmpFilesize
708KB
-
memory/1476-55-0x0000000071BF1000-0x0000000071BF3000-memory.dmpFilesize
8KB
-
memory/1476-57-0x0000000072BDD000-0x0000000072BE8000-memory.dmpFilesize
44KB
-
memory/1476-54-0x000000002F0E1000-0x000000002F0E4000-memory.dmpFilesize
12KB
-
memory/1476-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1476-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB