Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
LTL20I_order.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LTL20I_order.xlsx
Resource
win10v2004-20220414-en
General
-
Target
LTL20I_order.xlsx
-
Size
255KB
-
MD5
bc64945d52b06b5a7f2259652722b4e6
-
SHA1
3e67f1d30e44c5f4b916165fb17944a168790b3b
-
SHA256
37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2
-
SHA512
bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2
Malware Config
Extracted
formbook
4.1
s3s3
tvielotus.com
teesta.xyz
talentrecruitor.com
pamaungipb.com
xn--90ahkh6a6b8b.site
910carolina.com
toyotaecoyouth-dev.com
invetnables.com
gdexc.com
ssw168.com
householdmould.com
mqttradar.xyz
t333c.com
thepausestudio.com
evershedsutherlands.com
asbdataplus.com
preddylilthingz.com
jepwu.com
tvlido.com
artovus.com
trainingmagazineme.com
rettar.net
underneathstardoll.com
babipiko21.site
getvpsdime.com
accentsfurniture.com
cutdowns.tech
teklcin.online
sunshareesg.com
eventrewards.site
lacomunaperu.com
a-tavola.online
gshund.com
monsterflixer.com
896851.com
carpetlandcolortileflint.com
filmproduction.management
cherie-clinique.com
medjoker.com
grant-helpers.site
sussdmortgages.com
solaranlagen-forum.com
freecustomsites.com
h7578.com
ideadly.com
backend360.com
podgorskidesign.com
zilinsky.taxi
ourelevatetribe.com
thefitnesswardllc.com
eficazindustrial.com
thecovefishcamp.com
niuxy.com
myluxurypals.com
clinicadentalvelinta.com
dis99.com
crosswealth.xyz
itopjob.com
oandbcleaningservices.com
afri-solutions.com
paradiseoe.com
versionespublicas.com
b2lonline.com
usdcmeta.xyz
bense003.xyz
Signatures
-
Detect Neshta Payload 7 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0O8D7KIM\NEW_1_~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-80-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1920-81-0x000000000041F110-mapping.dmp formbook behavioral1/memory/1920-87-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/560-91-0x00000000000F0000-0x000000000011F000-memory.dmp formbook behavioral1/memory/560-94-0x00000000000F0000-0x000000000011F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2016 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1064 vbc.exe 572 vbc.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 2016 EQNEDT32.EXE 2016 EQNEDT32.EXE 2016 EQNEDT32.EXE 2016 EQNEDT32.EXE 1064 vbc.exe 1064 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.execvtres.execmstp.exedescription pid process target process PID 572 set thread context of 1920 572 vbc.exe cvtres.exe PID 1920 set thread context of 1280 1920 cvtres.exe Explorer.EXE PID 560 set thread context of 1280 560 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEvbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1320 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
cvtres.execmstp.exepid process 1920 cvtres.exe 1920 cvtres.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe 560 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cvtres.execmstp.exepid process 1920 cvtres.exe 1920 cvtres.exe 1920 cvtres.exe 560 cmstp.exe 560 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cvtres.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1920 cvtres.exe Token: SeDebugPrivilege 560 cmstp.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeShutdownPrivilege 1280 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1320 EXCEL.EXE 1320 EXCEL.EXE 1320 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeExplorer.EXEcmstp.exedescription pid process target process PID 2016 wrote to memory of 1064 2016 EQNEDT32.EXE vbc.exe PID 2016 wrote to memory of 1064 2016 EQNEDT32.EXE vbc.exe PID 2016 wrote to memory of 1064 2016 EQNEDT32.EXE vbc.exe PID 2016 wrote to memory of 1064 2016 EQNEDT32.EXE vbc.exe PID 1064 wrote to memory of 572 1064 vbc.exe vbc.exe PID 1064 wrote to memory of 572 1064 vbc.exe vbc.exe PID 1064 wrote to memory of 572 1064 vbc.exe vbc.exe PID 1064 wrote to memory of 572 1064 vbc.exe vbc.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 572 wrote to memory of 1920 572 vbc.exe cvtres.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 1280 wrote to memory of 560 1280 Explorer.EXE cmstp.exe PID 560 wrote to memory of 1444 560 cmstp.exe cmd.exe PID 560 wrote to memory of 1444 560 cmstp.exe cmd.exe PID 560 wrote to memory of 1444 560 cmstp.exe cmd.exe PID 560 wrote to memory of 1444 560 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\LTL20I_order.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0O8D7KIM\NEW_1_~1.EXEFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeFilesize
257KB
MD5c26f62be6304e0e2c12dba146a372c21
SHA12497d5377572816d9490f074949efde8e65f49f4
SHA25645b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094
SHA512365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeFilesize
257KB
MD5c26f62be6304e0e2c12dba146a372c21
SHA12497d5377572816d9490f074949efde8e65f49f4
SHA25645b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094
SHA512365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718
-
C:\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
C:\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeFilesize
257KB
MD5c26f62be6304e0e2c12dba146a372c21
SHA12497d5377572816d9490f074949efde8e65f49f4
SHA25645b1927934099ea95d315972f7f128ba3af4a64aa483d964f94c599e8e16f094
SHA512365c33622bb675109dbf9093b0d2a5d3635c8cf9591ff3af6d4be3690499e40252b1ec3712d4031424cf2df8958b197566e995f58d511b16a301b28bdf9c5718
-
\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
\Users\Public\vbc.exeFilesize
298KB
MD5e29af60c4ef79bee0553d2fb6e5e45bf
SHA1621afdcdfdba54a39c17ff294879dcfdb944593e
SHA2567afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
SHA5126b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
memory/560-90-0x0000000000830000-0x0000000000848000-memory.dmpFilesize
96KB
-
memory/560-94-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/560-93-0x0000000001D50000-0x0000000001DE3000-memory.dmpFilesize
588KB
-
memory/560-92-0x0000000001F20000-0x0000000002223000-memory.dmpFilesize
3.0MB
-
memory/560-91-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/560-86-0x0000000000000000-mapping.dmp
-
memory/572-72-0x0000000000230000-0x0000000000270000-memory.dmpFilesize
256KB
-
memory/572-73-0x0000000000330000-0x000000000036A000-memory.dmpFilesize
232KB
-
memory/572-69-0x0000000000000000-mapping.dmp
-
memory/1064-64-0x0000000000000000-mapping.dmp
-
memory/1280-85-0x0000000007300000-0x000000000749E000-memory.dmpFilesize
1.6MB
-
memory/1280-96-0x0000000006D70000-0x0000000006E85000-memory.dmpFilesize
1.1MB
-
memory/1280-95-0x0000000006D70000-0x0000000006E85000-memory.dmpFilesize
1.1MB
-
memory/1320-75-0x000000007263D000-0x0000000072648000-memory.dmpFilesize
44KB
-
memory/1320-55-0x0000000071651000-0x0000000071653000-memory.dmpFilesize
8KB
-
memory/1320-98-0x000000007263D000-0x0000000072648000-memory.dmpFilesize
44KB
-
memory/1320-54-0x000000002FAC1000-0x000000002FAC4000-memory.dmpFilesize
12KB
-
memory/1320-57-0x000000007263D000-0x0000000072648000-memory.dmpFilesize
44KB
-
memory/1320-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-97-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-58-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB
-
memory/1444-89-0x0000000000000000-mapping.dmp
-
memory/1920-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1920-83-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1920-81-0x000000000041F110-mapping.dmp
-
memory/1920-87-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1920-80-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1920-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1920-84-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB