Analysis
-
max time kernel
152s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 14:57
Static task
static1
Behavioral task
behavioral1
Sample
SGLN22060220.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SGLN22060220.xlsx
Resource
win10v2004-20220414-en
General
-
Target
SGLN22060220.xlsx
-
Size
79KB
-
MD5
57efdb5c07a2948e09c3535d3b91fc72
-
SHA1
974c2be9ff6499240c09b570e759e17b83061c68
-
SHA256
a5985216525198346400da43be15f61b3ef5fcb784d6ebd43ddfc9e269704a68
-
SHA512
e19b817387f494bea3a879e1d19a63d9a605e8d38f75e0650c64a389f78aca05245a5fdfe28f823b41439be6eabfbffcc7a5adbeeaea26bbd71b78a56135918f
Malware Config
Extracted
xloader
2.6
tn61
ryliehorrall.art
mesdco.net
street-art-ink.com
sepetcin.com
stilghar.com
hawaiipooltiles.com
fuerst-von-falkennest.com
totalvirtue.com
xdk0blc0tqy6a7.life
zootowngravel.com
kreditkarten-optionde.com
6888tlbb.xyz
albertakleekai.com
travelnurseinfofinder3.life
valleyinnswat.com
secure-remove-devices.com
digitalswamy.com
www112casinova.com
medifasttrd.com
distritoxermar.com
ebwagner.com
biworker.com
0571kt.net
mjuelaw.com
buildlimitlesswealth.com
wbclips.com
session.care
museatthemill.com
pjhxsl.com
momentums6.com
electricbike.energy
accommodations.network
libroskolibris.com
sejintech.net
parkchestergardens.info
gndgame.info
arcwarp.com
aboveallonline.com
dinotacker.com
ufc188livestreamfree.com
saulomar.com
atmworldexpo.com
chooox.com
admissium.com
dacdem.com
oneruk-chandeliercleaning.com
oyster-iot.cloud
mutinybrewworks.com
yaoih.com
dmitchellpropertiesllc.com
nuoicaymosaigon.com
peacockgotv.com
nextr.xyz
bidvastil.com
shahanhan.com
goodlordy.net
banlyeojob.com
tasteatlus.com
ecotone-os.xyz
urbanartco.com
drecibo.com
davegwatkin.com
pharmiva.net
accordingtopreston.com
blizzardboy.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1412-74-0x000000000041F2C0-mapping.dmp xloader behavioral1/memory/1412-73-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1412-76-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1412-83-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/964-91-0x0000000000090000-0x00000000000BB000-memory.dmp xloader behavioral1/memory/964-95-0x0000000000090000-0x00000000000BB000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2000 EQNEDT32.EXE 5 2000 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1204 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MRKPNJ28HP = "C:\\Program Files (x86)\\Eodylpfgp\\wingb5xx6.exe" rundll32.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.execvtres.exerundll32.exedescription pid process target process PID 1204 set thread context of 1412 1204 vbc.exe cvtres.exe PID 1412 set thread context of 1272 1412 cvtres.exe Explorer.EXE PID 1412 set thread context of 1272 1412 cvtres.exe Explorer.EXE PID 964 set thread context of 1272 964 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Eodylpfgp\wingb5xx6.exe rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXErundll32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1408 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
vbc.execvtres.exerundll32.exepid process 1204 vbc.exe 1204 vbc.exe 1412 cvtres.exe 1412 cvtres.exe 1412 cvtres.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
cvtres.exerundll32.exepid process 1412 cvtres.exe 1412 cvtres.exe 1412 cvtres.exe 1412 cvtres.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe 964 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vbc.execvtres.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 1204 vbc.exe Token: SeDebugPrivilege 1412 cvtres.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 964 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1408 EXCEL.EXE 1408 EXCEL.EXE 1408 EXCEL.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
EQNEDT32.EXEvbc.execvtres.exeExplorer.EXErundll32.exedescription pid process target process PID 2000 wrote to memory of 1204 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1204 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1204 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1204 2000 EQNEDT32.EXE vbc.exe PID 1204 wrote to memory of 2028 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 2028 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 2028 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 2028 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1204 wrote to memory of 1412 1204 vbc.exe cvtres.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1412 wrote to memory of 964 1412 cvtres.exe rundll32.exe PID 1272 wrote to memory of 1288 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1288 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1288 1272 Explorer.EXE cscript.exe PID 1272 wrote to memory of 1288 1272 Explorer.EXE cscript.exe PID 964 wrote to memory of 1100 964 rundll32.exe cmd.exe PID 964 wrote to memory of 1100 964 rundll32.exe cmd.exe PID 964 wrote to memory of 1100 964 rundll32.exe cmd.exe PID 964 wrote to memory of 1100 964 rundll32.exe cmd.exe PID 964 wrote to memory of 1028 964 rundll32.exe Firefox.exe PID 964 wrote to memory of 1028 964 rundll32.exe Firefox.exe PID 964 wrote to memory of 1028 964 rundll32.exe Firefox.exe PID 964 wrote to memory of 1028 964 rundll32.exe Firefox.exe PID 964 wrote to memory of 1028 964 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SGLN22060220.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"5⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
C:\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
\Users\Public\vbc.exeFilesize
283KB
MD53003d7f5f37555dda6aaedc46ebffb6e
SHA12fc3bfb42f58a9c1c6c9383015347b9c8935d14f
SHA2562fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
SHA512c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
memory/964-93-0x0000000000960000-0x00000000009F0000-memory.dmpFilesize
576KB
-
memory/964-91-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/964-88-0x00000000022E0000-0x00000000025E3000-memory.dmpFilesize
3.0MB
-
memory/964-89-0x0000000000AE0000-0x0000000000AEE000-memory.dmpFilesize
56KB
-
memory/964-95-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/964-84-0x0000000000000000-mapping.dmp
-
memory/1100-90-0x0000000000000000-mapping.dmp
-
memory/1204-65-0x0000000000000000-mapping.dmp
-
memory/1204-69-0x0000000000280000-0x00000000002B4000-memory.dmpFilesize
208KB
-
memory/1204-68-0x0000000000960000-0x00000000009AC000-memory.dmpFilesize
304KB
-
memory/1272-79-0x0000000007140000-0x0000000007273000-memory.dmpFilesize
1.2MB
-
memory/1272-92-0x0000000007280000-0x000000000733A000-memory.dmpFilesize
744KB
-
memory/1272-94-0x0000000007340000-0x0000000007440000-memory.dmpFilesize
1024KB
-
memory/1272-96-0x0000000007340000-0x0000000007440000-memory.dmpFilesize
1024KB
-
memory/1272-82-0x0000000007280000-0x000000000733A000-memory.dmpFilesize
744KB
-
memory/1408-85-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1408-60-0x00000000729FD000-0x0000000072A08000-memory.dmpFilesize
44KB
-
memory/1408-55-0x0000000071A11000-0x0000000071A13000-memory.dmpFilesize
8KB
-
memory/1408-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1408-57-0x00000000729FD000-0x0000000072A08000-memory.dmpFilesize
44KB
-
memory/1408-58-0x00000000765C1000-0x00000000765C3000-memory.dmpFilesize
8KB
-
memory/1408-54-0x000000002F981000-0x000000002F984000-memory.dmpFilesize
12KB
-
memory/1408-87-0x00000000729FD000-0x0000000072A08000-memory.dmpFilesize
44KB
-
memory/1412-76-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1412-74-0x000000000041F2C0-mapping.dmp
-
memory/1412-70-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1412-71-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1412-73-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1412-78-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1412-83-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1412-77-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1412-81-0x0000000002250000-0x0000000002261000-memory.dmpFilesize
68KB