formbook | a63c1bffdc0098cc497b3e02c967ea3bf200dc71742a521564ddc3d4e0b4be41

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-06-2022 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_6305977.xlsx
Size

136KB
MD5

bf43d6ef39e3ec80000aa17b5e1fa8ee
SHA1

a42be18ff81fefbb550d3789770aabd7f7b0a4b2
SHA256

a4c426f7bd1ff3a4292b8ee1e315d58f23a149901b1b245a0c774fa981d67afd
SHA512

ad3977db3960acaf5f21185ea303831b90f6dba497d762079bda5db598db021453e354d521d35e8b6102812a50e3ed8d0ee649a4d45fc53005568c884c85b495

Score

10^/10

formbook g14s rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g14s

Decoy

highnessmagazine.com

mokeyshop.com

remotedesktop.xyz

bicielettrica.xyz

addoncarzspa.com

ironesteem.com

asset-management-int.com

newportnewsaccounting.com

seriesyonkis2.com

hhivac.com

shrmgattlnow.com

yangzhenyu1.xyz

prettylittlenail.com

phyform.com

fggloballlc.com

gamecentertx.com

apriltoken.com

agalign.com

jointventurecoop.club

pengqianyue.tech

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1816-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1816-74-0x000000000041F140-mapping.dmp	formbook
behavioral1/memory/1816-81-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1644-85-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1644-88-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 2032 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exexlarfvuad.exexlarfvuad.exe

pid process

904 vbc.exe
792 xlarfvuad.exe
1816 xlarfvuad.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exexlarfvuad.exe

pid process

2032 EQNEDT32.EXE
904 vbc.exe
792 xlarfvuad.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	2032	EQNEDT32.EXE

pid	process
904	vbc.exe
792	xlarfvuad.exe
1816	xlarfvuad.exe

pid	process
2032	EQNEDT32.EXE
904	vbc.exe
792	xlarfvuad.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xlarfvuad.exexlarfvuad.exewuapp.exe

description	pid	process	target process
PID 792 set thread context of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 1816 set thread context of 1224	1816	xlarfvuad.exe	Explorer.EXE
PID 1644 set thread context of 1224	1644	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2032 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2032	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1392 EXCEL.EXE

pid	process
1392	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

xlarfvuad.exewuapp.exe

pid	process
1816	xlarfvuad.exe
1816	xlarfvuad.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe
1644	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

xlarfvuad.exewuapp.exe

pid process

1816 xlarfvuad.exe
1816 xlarfvuad.exe
1816 xlarfvuad.exe
1644 wuapp.exe
1644 wuapp.exe

pid	process
1224	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

xlarfvuad.exeExplorer.EXEwuapp.exe

description	pid	process
Token: SeDebugPrivilege	1816	xlarfvuad.exe
Token: SeShutdownPrivilege	1224	Explorer.EXE
Token: SeDebugPrivilege	1644	wuapp.exe
Token: SeShutdownPrivilege	1224	Explorer.EXE
Token: SeShutdownPrivilege	1224	Explorer.EXE
Token: SeShutdownPrivilege	1224	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1392 EXCEL.EXE
1392 EXCEL.EXE
1392 EXCEL.EXE
1392 EXCEL.EXE
1392 EXCEL.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1392	EXCEL.EXE
1392	EXCEL.EXE
1392	EXCEL.EXE
1392	EXCEL.EXE
1392	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EQNEDT32.EXEvbc.exexlarfvuad.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 2032 wrote to memory of 904	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 904	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 904	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 904	2032	EQNEDT32.EXE	vbc.exe
PID 904 wrote to memory of 792	904	vbc.exe	xlarfvuad.exe
PID 904 wrote to memory of 792	904	vbc.exe	xlarfvuad.exe
PID 904 wrote to memory of 792	904	vbc.exe	xlarfvuad.exe
PID 904 wrote to memory of 792	904	vbc.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 792 wrote to memory of 1816	792	xlarfvuad.exe	xlarfvuad.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1224 wrote to memory of 1644	1224	Explorer.EXE	wuapp.exe
PID 1644 wrote to memory of 1832	1644	wuapp.exe	cmd.exe
PID 1644 wrote to memory of 1832	1644	wuapp.exe	cmd.exe
PID 1644 wrote to memory of 1832	1644	wuapp.exe	cmd.exe
PID 1644 wrote to memory of 1832	1644	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_6305977.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe"
3⤵
PID:1832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14bjwnh70000oktef97
Filesize
184KB

MD5
39caefe2282d6b8c0eef7d657db7c154

SHA1
cc6604f9985ae1a05f034f799dd6ee550be1d7e8

SHA256
47fc6884f3dee9dfd8def2b3b5f0c38856c0eef9f0c005fd02fef0c1344592f2

SHA512
930bb809904ff5f27420b1ae1a0005ee73b9383e21a41dbd93dbd18f4048c1bfcebbff1b6a189eb63444cd876e95b11c8c346bfa7166f4ddd172fcadbbf73cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lafzmxlg
Filesize
5KB

MD5
bce94db7c34663df2cbd9246ff73a348

SHA1
7ae61ec3e2de7736c42059f798e33950b558e6b4

SHA256
39220e3264b8bd27e6980a0edee02315c1a42e88181b8dc107122cd5d1590b29

SHA512
f9d3fd89a54648cebfacfe1f2f12310b438fb53e8f1eb65fab70ac56ea94da8c72eb239e50da8160a4217f723f0727aa44434b65ebe6c3356a11194d328690e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
C:\Users\Public\vbc.exe
Filesize
247KB

MD5
6d5af3c3cbd850fd982a9b243e2857a7

SHA1
a070566b72fca1e39f52599da8d2f80a0a11fb5f

SHA256
e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57

SHA512
dccba4090f0aef7e59f35d4be64406b7ce7733f59f7ab940e296c5d8b5da852dce11b53d317f71bcf53304088c1c361fc24f8e466915c6d9a1e8dfee17fb4bc1

Download Submit
C:\Users\Public\vbc.exe
Filesize
247KB

MD5
6d5af3c3cbd850fd982a9b243e2857a7

SHA1
a070566b72fca1e39f52599da8d2f80a0a11fb5f

SHA256
e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57

SHA512
dccba4090f0aef7e59f35d4be64406b7ce7733f59f7ab940e296c5d8b5da852dce11b53d317f71bcf53304088c1c361fc24f8e466915c6d9a1e8dfee17fb4bc1

Download Submit
\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
\Users\Admin\AppData\Local\Temp\xlarfvuad.exe
Filesize
57KB

MD5
1690cff1fe9dbef048f6e7dbe3cbf586

SHA1
fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b

SHA256
187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077

SHA512
f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22

Download Submit
\Users\Public\vbc.exe
Filesize
247KB

MD5
6d5af3c3cbd850fd982a9b243e2857a7

SHA1
a070566b72fca1e39f52599da8d2f80a0a11fb5f

SHA256
e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57

SHA512
dccba4090f0aef7e59f35d4be64406b7ce7733f59f7ab940e296c5d8b5da852dce11b53d317f71bcf53304088c1c361fc24f8e466915c6d9a1e8dfee17fb4bc1

Download Submit
memory/792-66-0x0000000000000000-mapping.dmp

Download
memory/904-61-0x0000000000000000-mapping.dmp

Download
memory/1224-79-0x0000000004AA0000-0x0000000004B53000-memory.dmp

Filesize
716KB

Download
memory/1224-90-0x00000000074D0000-0x000000000764C000-memory.dmp

Filesize
1.5MB

Download
memory/1224-89-0x00000000074D0000-0x000000000764C000-memory.dmp

Filesize
1.5MB

Download
memory/1392-83-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/1392-57-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/1392-92-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/1392-55-0x0000000070FF1000-0x0000000070FF3000-memory.dmp

Filesize
8KB

Download
memory/1392-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1392-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1392-54-0x000000002F911000-0x000000002F914000-memory.dmp

Filesize
12KB

Download
memory/1392-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-80-0x0000000000000000-mapping.dmp

Download
memory/1644-88-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1644-87-0x0000000000920000-0x00000000009B3000-memory.dmp

Filesize
588KB

Download
memory/1644-84-0x00000000011D0000-0x00000000011DB000-memory.dmp

Filesize
44KB

Download
memory/1644-85-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1644-86-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/1816-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-78-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1816-77-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1816-74-0x000000000041F140-mapping.dmp

Download
memory/1832-82-0x0000000000000000-mapping.dmp

Download