xloader | dcfc0d21809cf35594dcaa248fa00907c47efe04df346049d4972c380854aa56

General

Target

New Products Inquiry 300522.xlsx
Size

136KB
MD5

676846d78e0b595abea9a8bc027a2998
SHA1

52e3403b5bcb44fe78fc22746f9835efbc02b415
SHA256

dcfc0d21809cf35594dcaa248fa00907c47efe04df346049d4972c380854aa56
SHA512

83e46688840b98ea65c514d38fb13dbebc9a7ab5d342d6f297f983aa63474e0923c7828d2f1a53614335eda73846fddfec0e69a08d9d22cd3136ea6491e0784d

Score

10^/10

xloader be4o loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Xloader Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1744-71-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1744-72-0x000000000041F270-mapping.dmp	xloader
behavioral1/memory/1744-82-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1248-87-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader
behavioral1/memory/1804-91-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp	xloader
behavioral1/memory/1248-92-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1280 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1804 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1280 EQNEDT32.EXE
1280 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	1280	EQNEDT32.EXE

pid	process
1804	vbc.exe

pid	process
1280	EQNEDT32.EXE
1280	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VHLHZLNHGPHL = "C:\\Program Files (x86)\\Ecd2\\colorcpl4hd0fxkx.exe"	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exeraserver.exe

description	pid	process	target process
PID 1804 set thread context of 1744	1804	vbc.exe	vbc.exe
PID 1744 set thread context of 1220	1744	vbc.exe	Explorer.EXE
PID 1248 set thread context of 1220	1248	raserver.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

raserver.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ecd2\colorcpl4hd0fxkx.exe raserver.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1280 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ecd2\colorcpl4hd0fxkx.exe	raserver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1280	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEraserver.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

872 EXCEL.EXE

pid	process
872	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

vbc.exeraserver.exe

pid	process
1744	vbc.exe
1744	vbc.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe
1248	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.exeraserver.exe

pid process

1744 vbc.exe
1744 vbc.exe
1744 vbc.exe
1248 raserver.exe
1248 raserver.exe
1248 raserver.exe
1248 raserver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeExplorer.EXEraserver.exe

description	pid	process
Token: SeDebugPrivilege	1744	vbc.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1248	raserver.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

872 EXCEL.EXE
872 EXCEL.EXE
872 EXCEL.EXE
872 EXCEL.EXE
872 EXCEL.EXE

pid	process
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1280 wrote to memory of 1804	1280	EQNEDT32.EXE	vbc.exe
PID 1280 wrote to memory of 1804	1280	EQNEDT32.EXE	vbc.exe
PID 1280 wrote to memory of 1804	1280	EQNEDT32.EXE	vbc.exe
PID 1280 wrote to memory of 1804	1280	EQNEDT32.EXE	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1804 wrote to memory of 1744	1804	vbc.exe	vbc.exe
PID 1220 wrote to memory of 1248	1220	Explorer.EXE	raserver.exe
PID 1220 wrote to memory of 1248	1220	Explorer.EXE	raserver.exe
PID 1220 wrote to memory of 1248	1220	Explorer.EXE	raserver.exe
PID 1220 wrote to memory of 1248	1220	Explorer.EXE	raserver.exe
PID 1248 wrote to memory of 1520	1248	raserver.exe	cmd.exe
PID 1248 wrote to memory of 1520	1248	raserver.exe	cmd.exe
PID 1248 wrote to memory of 1520	1248	raserver.exe	cmd.exe
PID 1248 wrote to memory of 1520	1248	raserver.exe	cmd.exe
PID 1248 wrote to memory of 1696	1248	raserver.exe	Firefox.exe
PID 1248 wrote to memory of 1696	1248	raserver.exe	Firefox.exe
PID 1248 wrote to memory of 1696	1248	raserver.exe	Firefox.exe
PID 1248 wrote to memory of 1696	1248	raserver.exe	Firefox.exe
PID 1248 wrote to memory of 1696	1248	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Products Inquiry 300522.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1696

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
Filesize
798KB

MD5
fa6cb9677ff2254615166747668a72ed

SHA1
e784bfd8f5f4514569205bb535ed8bc36ab47f28

SHA256
4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

SHA512
e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617

Download Submit
C:\Users\Public\vbc.exe
Filesize
798KB

MD5
fa6cb9677ff2254615166747668a72ed

SHA1
e784bfd8f5f4514569205bb535ed8bc36ab47f28

SHA256
4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

SHA512
e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617

Download Submit
\Users\Public\vbc.exe
Filesize
798KB

MD5
fa6cb9677ff2254615166747668a72ed

SHA1
e784bfd8f5f4514569205bb535ed8bc36ab47f28

SHA256
4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

SHA512
e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617

Download Submit
\Users\Public\vbc.exe
Filesize
798KB

MD5
fa6cb9677ff2254615166747668a72ed

SHA1
e784bfd8f5f4514569205bb535ed8bc36ab47f28

SHA256
4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

SHA512
e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617

Download Submit
memory/872-58-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/872-89-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/872-57-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/872-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/872-55-0x0000000071391000-0x0000000071393000-memory.dmp

Filesize
8KB

Download
memory/872-54-0x000000002FD71000-0x000000002FD74000-memory.dmp

Filesize
12KB

Download
memory/1220-94-0x0000000004DD0000-0x0000000004E92000-memory.dmp

Filesize
776KB

Download
memory/1220-93-0x0000000004DD0000-0x0000000004E92000-memory.dmp

Filesize
776KB

Download
memory/1220-80-0x0000000004C80000-0x0000000004DC6000-memory.dmp

Filesize
1.3MB

Download
memory/1248-92-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1248-88-0x00000000020E0000-0x00000000023E3000-memory.dmp

Filesize
3.0MB

Download
memory/1248-86-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/1248-87-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1248-90-0x00000000004E0000-0x0000000000570000-memory.dmp

Filesize
576KB

Download
memory/1248-81-0x0000000000000000-mapping.dmp

Download
memory/1520-85-0x0000000000000000-mapping.dmp

Download
memory/1744-72-0x000000000041F270-mapping.dmp

Download
memory/1744-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-79-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1744-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-82-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-84-0x0000000002470000-0x0000000002773000-memory.dmp

Filesize
3.0MB

Download
memory/1804-75-0x000007FEF3810000-0x000007FEF39F8000-memory.dmp

Filesize
1.9MB

Download
memory/1804-73-0x000007FEF3A00000-0x000007FEF463F000-memory.dmp

Filesize
12.2MB

Download
memory/1804-77-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmp

Filesize
21.5MB

Download
memory/1804-76-0x000007FEF2DC0000-0x000007FEF3810000-memory.dmp

Filesize
10.3MB

Download
memory/1804-78-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp

Filesize
15.3MB

Download
memory/1804-69-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmp

Filesize
21.5MB

Download
memory/1804-91-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp

Filesize
15.3MB

Download
memory/1804-66-0x0000000000450000-0x0000000000486000-memory.dmp

Filesize
216KB

Download
memory/1804-65-0x00000000008B0000-0x000000000097C000-memory.dmp

Filesize
816KB

Download
memory/1804-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads