Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 13:14
Static task
static1
Behavioral task
behavioral1
Sample
New Products Inquiry 300522.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Products Inquiry 300522.xlsx
Resource
win10v2004-20220414-en
General
-
Target
New Products Inquiry 300522.xlsx
-
Size
136KB
-
MD5
676846d78e0b595abea9a8bc027a2998
-
SHA1
52e3403b5bcb44fe78fc22746f9835efbc02b415
-
SHA256
dcfc0d21809cf35594dcaa248fa00907c47efe04df346049d4972c380854aa56
-
SHA512
83e46688840b98ea65c514d38fb13dbebc9a7ab5d342d6f297f983aa63474e0923c7828d2f1a53614335eda73846fddfec0e69a08d9d22cd3136ea6491e0784d
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-71-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1744-72-0x000000000041F270-mapping.dmp xloader behavioral1/memory/1744-82-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1248-87-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/1804-91-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp xloader behavioral1/memory/1248-92-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1280 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1804 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1280 EQNEDT32.EXE 1280 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VHLHZLNHGPHL = "C:\\Program Files (x86)\\Ecd2\\colorcpl4hd0fxkx.exe" raserver.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeraserver.exedescription pid process target process PID 1804 set thread context of 1744 1804 vbc.exe vbc.exe PID 1744 set thread context of 1220 1744 vbc.exe Explorer.EXE PID 1248 set thread context of 1220 1248 raserver.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Ecd2\colorcpl4hd0fxkx.exe raserver.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEraserver.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 872 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
vbc.exeraserver.exepid process 1744 vbc.exe 1744 vbc.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exeraserver.exepid process 1744 vbc.exe 1744 vbc.exe 1744 vbc.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeExplorer.EXEraserver.exedescription pid process Token: SeDebugPrivilege 1744 vbc.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeDebugPrivilege 1248 raserver.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 872 EXCEL.EXE 872 EXCEL.EXE 872 EXCEL.EXE 872 EXCEL.EXE 872 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEraserver.exedescription pid process target process PID 1280 wrote to memory of 1804 1280 EQNEDT32.EXE vbc.exe PID 1280 wrote to memory of 1804 1280 EQNEDT32.EXE vbc.exe PID 1280 wrote to memory of 1804 1280 EQNEDT32.EXE vbc.exe PID 1280 wrote to memory of 1804 1280 EQNEDT32.EXE vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1804 wrote to memory of 1744 1804 vbc.exe vbc.exe PID 1220 wrote to memory of 1248 1220 Explorer.EXE raserver.exe PID 1220 wrote to memory of 1248 1220 Explorer.EXE raserver.exe PID 1220 wrote to memory of 1248 1220 Explorer.EXE raserver.exe PID 1220 wrote to memory of 1248 1220 Explorer.EXE raserver.exe PID 1248 wrote to memory of 1520 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1520 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1520 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1520 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1696 1248 raserver.exe Firefox.exe PID 1248 wrote to memory of 1696 1248 raserver.exe Firefox.exe PID 1248 wrote to memory of 1696 1248 raserver.exe Firefox.exe PID 1248 wrote to memory of 1696 1248 raserver.exe Firefox.exe PID 1248 wrote to memory of 1696 1248 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Products Inquiry 300522.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeFilesize
798KB
MD5fa6cb9677ff2254615166747668a72ed
SHA1e784bfd8f5f4514569205bb535ed8bc36ab47f28
SHA2564fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA512e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617
-
C:\Users\Public\vbc.exeFilesize
798KB
MD5fa6cb9677ff2254615166747668a72ed
SHA1e784bfd8f5f4514569205bb535ed8bc36ab47f28
SHA2564fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA512e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617
-
\Users\Public\vbc.exeFilesize
798KB
MD5fa6cb9677ff2254615166747668a72ed
SHA1e784bfd8f5f4514569205bb535ed8bc36ab47f28
SHA2564fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA512e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617
-
\Users\Public\vbc.exeFilesize
798KB
MD5fa6cb9677ff2254615166747668a72ed
SHA1e784bfd8f5f4514569205bb535ed8bc36ab47f28
SHA2564fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA512e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617
-
memory/872-58-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/872-89-0x000000007237D000-0x0000000072388000-memory.dmpFilesize
44KB
-
memory/872-57-0x000000007237D000-0x0000000072388000-memory.dmpFilesize
44KB
-
memory/872-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/872-55-0x0000000071391000-0x0000000071393000-memory.dmpFilesize
8KB
-
memory/872-54-0x000000002FD71000-0x000000002FD74000-memory.dmpFilesize
12KB
-
memory/1220-94-0x0000000004DD0000-0x0000000004E92000-memory.dmpFilesize
776KB
-
memory/1220-93-0x0000000004DD0000-0x0000000004E92000-memory.dmpFilesize
776KB
-
memory/1220-80-0x0000000004C80000-0x0000000004DC6000-memory.dmpFilesize
1.3MB
-
memory/1248-92-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1248-88-0x00000000020E0000-0x00000000023E3000-memory.dmpFilesize
3.0MB
-
memory/1248-86-0x0000000000330000-0x000000000034C000-memory.dmpFilesize
112KB
-
memory/1248-87-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1248-90-0x00000000004E0000-0x0000000000570000-memory.dmpFilesize
576KB
-
memory/1248-81-0x0000000000000000-mapping.dmp
-
memory/1520-85-0x0000000000000000-mapping.dmp
-
memory/1744-72-0x000000000041F270-mapping.dmp
-
memory/1744-68-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1744-79-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1744-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1744-71-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1744-82-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1744-84-0x0000000002470000-0x0000000002773000-memory.dmpFilesize
3.0MB
-
memory/1804-75-0x000007FEF3810000-0x000007FEF39F8000-memory.dmpFilesize
1.9MB
-
memory/1804-73-0x000007FEF3A00000-0x000007FEF463F000-memory.dmpFilesize
12.2MB
-
memory/1804-77-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmpFilesize
21.5MB
-
memory/1804-76-0x000007FEF2DC0000-0x000007FEF3810000-memory.dmpFilesize
10.3MB
-
memory/1804-78-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmpFilesize
15.3MB
-
memory/1804-69-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmpFilesize
21.5MB
-
memory/1804-91-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmpFilesize
15.3MB
-
memory/1804-66-0x0000000000450000-0x0000000000486000-memory.dmpFilesize
216KB
-
memory/1804-65-0x00000000008B0000-0x000000000097C000-memory.dmpFilesize
816KB
-
memory/1804-62-0x0000000000000000-mapping.dmp