Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-05-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
Darko doo Ponuda.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Darko doo Ponuda.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
decrypted.xlsx
-
Size
201KB
-
MD5
e3506e12375a78e25c3928281dd19102
-
SHA1
94661f72f88800f105b413d7c93f9dc0a539f449
-
SHA256
16810206b9173b8f136c97f9d73fa19570aa14c697161774b1082fbd42a0a611
-
SHA512
083de22c84ea7ce61eddb0a5cbc7ecf2340dd708552a942713f991dd3a3a60c659ade36f9ed03bf657e707b7f275d1c6116427e5ca9d733a35cb99eafc7ac659
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/2016-76-0x000000000041F270-mapping.dmp xloader behavioral3/memory/2016-75-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral3/memory/2016-79-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral3/memory/1740-85-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1540 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exeimqegvldrv.exeimqegvldrv.exepid process 1348 vbc.exe 1168 imqegvldrv.exe 2016 imqegvldrv.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvbc.exeimqegvldrv.exepid process 1540 EQNEDT32.EXE 1540 EQNEDT32.EXE 1540 EQNEDT32.EXE 1348 vbc.exe 1348 vbc.exe 1168 imqegvldrv.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
imqegvldrv.exeimqegvldrv.exesvchost.exedescription pid process target process PID 1168 set thread context of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 2016 set thread context of 1416 2016 imqegvldrv.exe Explorer.EXE PID 1740 set thread context of 1416 1740 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2040 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
imqegvldrv.exesvchost.exepid process 2016 imqegvldrv.exe 2016 imqegvldrv.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe 1740 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
imqegvldrv.exesvchost.exepid process 2016 imqegvldrv.exe 2016 imqegvldrv.exe 2016 imqegvldrv.exe 1740 svchost.exe 1740 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
imqegvldrv.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2016 imqegvldrv.exe Token: SeDebugPrivilege 1740 svchost.exe Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2040 EXCEL.EXE 2040 EXCEL.EXE 2040 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeimqegvldrv.exeExplorer.EXEsvchost.exedescription pid process target process PID 1540 wrote to memory of 1348 1540 EQNEDT32.EXE vbc.exe PID 1540 wrote to memory of 1348 1540 EQNEDT32.EXE vbc.exe PID 1540 wrote to memory of 1348 1540 EQNEDT32.EXE vbc.exe PID 1540 wrote to memory of 1348 1540 EQNEDT32.EXE vbc.exe PID 1348 wrote to memory of 1168 1348 vbc.exe imqegvldrv.exe PID 1348 wrote to memory of 1168 1348 vbc.exe imqegvldrv.exe PID 1348 wrote to memory of 1168 1348 vbc.exe imqegvldrv.exe PID 1348 wrote to memory of 1168 1348 vbc.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1168 wrote to memory of 2016 1168 imqegvldrv.exe imqegvldrv.exe PID 1416 wrote to memory of 1740 1416 Explorer.EXE svchost.exe PID 1416 wrote to memory of 1740 1416 Explorer.EXE svchost.exe PID 1416 wrote to memory of 1740 1416 Explorer.EXE svchost.exe PID 1416 wrote to memory of 1740 1416 Explorer.EXE svchost.exe PID 1740 wrote to memory of 1172 1740 svchost.exe cmd.exe PID 1740 wrote to memory of 1172 1740 svchost.exe cmd.exe PID 1740 wrote to memory of 1172 1740 svchost.exe cmd.exe PID 1740 wrote to memory of 1172 1740 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exeC:\Users\Admin\AppData\Local\Temp\imqegvldrv.exe C:\Users\Admin\AppData\Local\Temp\iljgdqwch3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exeC:\Users\Admin\AppData\Local\Temp\imqegvldrv.exe C:\Users\Admin\AppData\Local\Temp\iljgdqwch4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gct18t4fxwg4bvxmzdzrFilesize
171KB
MD5c546900e14a64ce727dcfa66db514d20
SHA155163b2b5752da55bd1fedb475850e3aab7cef36
SHA2567b10cc4b3f510d7bfb59227f67dfd8cbf2479bcb81743ead1aa1ac6890b50026
SHA51240a2f46d410131c2204288fe78fc8d938e1422d8838b8a9aec484fbe0e6a628bda636384622498748f39dc1abd30fdf71037ebc9cf2f640b48c7a2d4863199da
-
C:\Users\Admin\AppData\Local\Temp\iljgdqwchFilesize
5KB
MD5d512ae3c82dc9c4a734f62fd19f93a3c
SHA10f1696503c07f053d8407a89d599e692c854f4a8
SHA256e3e3c6a0b6b7b4deaff9520cf13f12d95ef94c2534bb53dd5535219cbfbf8644
SHA512d0dfbdfffe1be6bc955525d712c6600e97d61f37d5cfa6e00a65ad9a7dfa50f944eaa6fe4b517ae09648382dae933af5c154e403c8953c8a3fa16efe97a1b3fb
-
C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
C:\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
C:\Users\Public\vbc.exeFilesize
252KB
MD554b3f1c51ae8550134a0d40970b455a9
SHA104a17aff62adc436be17b26e202773e18f0394f0
SHA256f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
SHA512d9d04847d6fdc4556819ac6794bfd8d722d9af243ca4a331d6bf1b9e9d21292e38dce7224db412f1f08cd366970d7307444329b0f7c6179aadd3e5d54f6e5131
-
C:\Users\Public\vbc.exeFilesize
252KB
MD554b3f1c51ae8550134a0d40970b455a9
SHA104a17aff62adc436be17b26e202773e18f0394f0
SHA256f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
SHA512d9d04847d6fdc4556819ac6794bfd8d722d9af243ca4a331d6bf1b9e9d21292e38dce7224db412f1f08cd366970d7307444329b0f7c6179aadd3e5d54f6e5131
-
\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
\Users\Admin\AppData\Local\Temp\imqegvldrv.exeFilesize
73KB
MD5c2bf5c55761a0e43925c92e5019ea937
SHA182809d57cb074155652ee3b9e8b888c9c3e7d6da
SHA25660e0105b3ce8d6f7a97e81c6d751d9196f2222e2406f3702238423f43f62e1b3
SHA512c850addeeb17f28dfb80c9b094b0ed31139c21b6b532738ba676eeb52919c49c094b12d76c5fb46f1b596c0e54e1d5e45d9d190e5d7e5e019611a0937bfc4e0c
-
\Users\Public\vbc.exeFilesize
252KB
MD554b3f1c51ae8550134a0d40970b455a9
SHA104a17aff62adc436be17b26e202773e18f0394f0
SHA256f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
SHA512d9d04847d6fdc4556819ac6794bfd8d722d9af243ca4a331d6bf1b9e9d21292e38dce7224db412f1f08cd366970d7307444329b0f7c6179aadd3e5d54f6e5131
-
\Users\Public\vbc.exeFilesize
252KB
MD554b3f1c51ae8550134a0d40970b455a9
SHA104a17aff62adc436be17b26e202773e18f0394f0
SHA256f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
SHA512d9d04847d6fdc4556819ac6794bfd8d722d9af243ca4a331d6bf1b9e9d21292e38dce7224db412f1f08cd366970d7307444329b0f7c6179aadd3e5d54f6e5131
-
\Users\Public\vbc.exeFilesize
252KB
MD554b3f1c51ae8550134a0d40970b455a9
SHA104a17aff62adc436be17b26e202773e18f0394f0
SHA256f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
SHA512d9d04847d6fdc4556819ac6794bfd8d722d9af243ca4a331d6bf1b9e9d21292e38dce7224db412f1f08cd366970d7307444329b0f7c6179aadd3e5d54f6e5131
-
memory/1168-69-0x0000000000000000-mapping.dmp
-
memory/1172-86-0x0000000000000000-mapping.dmp
-
memory/1348-63-0x0000000000000000-mapping.dmp
-
memory/1416-93-0x000007FF11910000-0x000007FF1191A000-memory.dmpFilesize
40KB
-
memory/1416-82-0x0000000006FA0000-0x00000000070C6000-memory.dmpFilesize
1.1MB
-
memory/1416-92-0x000007FEF6BA0000-0x000007FEF6CE3000-memory.dmpFilesize
1.3MB
-
memory/1416-89-0x0000000009540000-0x00000000096AA000-memory.dmpFilesize
1.4MB
-
memory/1740-84-0x0000000000350000-0x0000000000358000-memory.dmpFilesize
32KB
-
memory/1740-83-0x0000000000000000-mapping.dmp
-
memory/1740-88-0x0000000000620000-0x00000000006B0000-memory.dmpFilesize
576KB
-
memory/1740-87-0x00000000007A0000-0x0000000000AA3000-memory.dmpFilesize
3.0MB
-
memory/1740-85-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/2016-81-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/2016-76-0x000000000041F270-mapping.dmp
-
memory/2016-75-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2016-80-0x0000000000740000-0x0000000000A43000-memory.dmpFilesize
3.0MB
-
memory/2016-79-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2040-55-0x00000000718B1000-0x00000000718B3000-memory.dmpFilesize
8KB
-
memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-57-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/2040-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-58-0x000000007289D000-0x00000000728A8000-memory.dmpFilesize
44KB
-
memory/2040-54-0x000000002FB61000-0x000000002FB64000-memory.dmpFilesize
12KB