Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 09:08
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order Sheet.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order Sheet.xlsx
Resource
win10v2004-20220414-en
General
-
Target
Purchase Order Sheet.xlsx
-
Size
168KB
-
MD5
939b429a57287162bc41f316f44eb30f
-
SHA1
d847f7c19c0f05eaa78c01c7f3ce870542f126ec
-
SHA256
db8c0ba2cb25a5ed15cdc6c5e58cffcdc276acea0036813db8824aad1ae5ca22
-
SHA512
41a0025cec34032ab697f64774674fe50004d92268cbd75f0fdd237141d56bca0281c2485905b26ddcbe223afafef35f99bf7e083fe308f31545880dcdf6375e
Malware Config
Extracted
xloader
2.6
ip4t
710wgm.com
ournewhorizon.com
hilfe-online.xyz
suryaciptanusantara.com
hfrdwy.com
solutionscollection.com
savor.menu
fxivcama.com
freedom-recruitment.com
owldit.com
fullbiz.online
ztgifts.com
zerlastreeservices.com
simpleenergyai.com
ostheide-immobilien.com
mike-piano.com
xiheps.com
usedcarindonesia-ace.com
yuncuiyunying.xyz
hopecrtprotour.com
palesamedia.com
16thave4plex.com
payphelpcenter950851352.info
myjsma.com
uncoveringtheunconscious.net
hcdt.net
sipatuh.com
holistic.bet
upsidesunny.com
hongkongrestaurantmi.com
torquedad.com
carpetoval.com
markasiotomasyon.com
696916888.com
choiceisclearcannabis.com
newcomers.store
sy932.com
jodgotech.com
c9333.com
cangomalaysia.com
tesnd.com
bridgemutnet.com
peterkingroupllc.com
brucecurrycropinsurance.com
lotnerd.com
75lamersoncircle.info
armymomcreations.com
hiveminingltd.com
mfpropiedades.com
maratontorresdelpaine.com
blogrutasviajes.com
lizshulman.com
communicationmotijheel.com
the4adstory.com
arch-fzm.com
ryansalas.com
fcsyp.com
winokio.com
myloan4you.com
classicshowcase.site
producziongroup.com
todosnegocio.com
reelincraftydesigns.com
tigerglobal.business
mygwinin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 6 IoCs
resource yara_rule behavioral1/memory/520-77-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/520-78-0x000000000041F250-mapping.dmp xloader behavioral1/memory/520-81-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/520-89-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/928-92-0x00000000000D0000-0x00000000000FB000-memory.dmp xloader behavioral1/memory/928-96-0x00000000000D0000-0x00000000000FB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1204 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2012 vbc.exe 520 vbc.exe -
Loads dropped DLL 5 IoCs
pid Process 1204 EQNEDT32.EXE 1204 EQNEDT32.EXE 1204 EQNEDT32.EXE 1204 EQNEDT32.EXE 1204 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HZ-DPL3P_2 = "C:\\Program Files (x86)\\X0x6h\\gdie2aprv_h.exe" cmmon32.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2012 set thread context of 520 2012 vbc.exe 33 PID 520 set thread context of 1284 520 vbc.exe 16 PID 520 set thread context of 1284 520 vbc.exe 16 PID 928 set thread context of 1284 928 cmmon32.exe 16 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\X0x6h\gdie2aprv_h.exe cmmon32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1204 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 316 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 520 vbc.exe 520 vbc.exe 520 vbc.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 520 vbc.exe 520 vbc.exe 520 vbc.exe 520 vbc.exe 928 cmmon32.exe 928 cmmon32.exe 928 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 520 vbc.exe Token: SeDebugPrivilege 928 cmmon32.exe Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 316 EXCEL.EXE 316 EXCEL.EXE 316 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2012 1204 EQNEDT32.EXE 31 PID 1204 wrote to memory of 2012 1204 EQNEDT32.EXE 31 PID 1204 wrote to memory of 2012 1204 EQNEDT32.EXE 31 PID 1204 wrote to memory of 2012 1204 EQNEDT32.EXE 31 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 2012 wrote to memory of 520 2012 vbc.exe 33 PID 1284 wrote to memory of 928 1284 Explorer.EXE 34 PID 1284 wrote to memory of 928 1284 Explorer.EXE 34 PID 1284 wrote to memory of 928 1284 Explorer.EXE 34 PID 1284 wrote to memory of 928 1284 Explorer.EXE 34 PID 928 wrote to memory of 1292 928 cmmon32.exe 35 PID 928 wrote to memory of 1292 928 cmmon32.exe 35 PID 928 wrote to memory of 1292 928 cmmon32.exe 35 PID 928 wrote to memory of 1292 928 cmmon32.exe 35 PID 928 wrote to memory of 1672 928 cmmon32.exe 37 PID 928 wrote to memory of 1672 928 cmmon32.exe 37 PID 928 wrote to memory of 1672 928 cmmon32.exe 37 PID 928 wrote to memory of 1672 928 cmmon32.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order Sheet.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵PID:1292
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1672
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef
-
Filesize
668KB
MD5d558a014b63621911fea88739bd4d442
SHA1770267f47a9330db866ab28f10abab1fde94e625
SHA256dc1325117fde7f750e5c4a2fcaa09560b63760da668d899ad9dcf9e414e85fbf
SHA512cbfdf8a9422366faee5e546d9b02baf330f583c1684580b912ddbbfaff028bc6147c92db0ec9598a85bf48400a78288036ce7cb5564f82bd5769a457aadca2ef