formbook | baea29755ad7d0d89ae6ec2229bb06fafaf5a68869b3f07adad15e7020a79fd1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-06-2022 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decrypted.xlsx
Size

156KB
MD5

4e4e1faa4f89fd324a0d3cb7609740ee
SHA1

c9194e4a27abcf199dd82e6cefc12c100f60c745
SHA256

4fa076b9edb70ff44a8c67442a5337293d9e6c6c9c9bf9acc23fce485116a741
SHA512

8500aca084c2f591aa0bf2b29f40d6be0866f72c27b869992d66cb754d879554cd41a70fccabbaff01f8e09f8e529102532560c4673e9b1e270724219458f43b

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/1596-88-0x000000000041F840-mapping.dmp	xloader
behavioral3/memory/1596-87-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral3/memory/1596-91-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral3/memory/1996-99-0x0000000000140000-0x000000000016C000-memory.dmp	xloader
behavioral3/memory/1996-102-0x0000000000140000-0x000000000016C000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 2036 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1108 vbc.exe
1596 vbc.exe
Abuses OpenXML format to download file from external location
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation vbc.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXE

pid process

2036 EQNEDT32.EXE
2036 EQNEDT32.EXE
2036 EQNEDT32.EXE
2036 EQNEDT32.EXE
2036 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
9	2036	EQNEDT32.EXE

pid	process
1108	vbc.exe
1596	vbc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	vbc.exe

pid	process
2036	EQNEDT32.EXE
2036	EQNEDT32.EXE
2036	EQNEDT32.EXE
2036	EQNEDT32.EXE
2036	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HHM81NWHYZ = "C:\\Program Files (x86)\\Eadil_rg\\mfcadfh1n.exe"	msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exemsdt.exe

description	pid	process	target process
PID 1108 set thread context of 1596	1108	vbc.exe	vbc.exe
PID 1596 set thread context of 1296	1596	vbc.exe	Explorer.EXE
PID 1996 set thread context of 1296	1996	msdt.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msdt.exe

description ioc process

File opened for modification C:\Program Files (x86)\Eadil_rg\mfcadfh1n.exe msdt.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2036 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Eadil_rg\mfcadfh1n.exe	msdt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2036	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXEmsdt.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1304 EXCEL.EXE

pid	process
1304	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

vbc.exemsdt.exe

pid	process
1596	vbc.exe
1596	vbc.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe
1996	msdt.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.exemsdt.exe

pid process

1596 vbc.exe
1596 vbc.exe
1596 vbc.exe
1996 msdt.exe
1996 msdt.exe
1996 msdt.exe
1996 msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1596	vbc.exe
Token: SeDebugPrivilege	1996	msdt.exe
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1304 EXCEL.EXE
1304 EXCEL.EXE
1304 EXCEL.EXE
1892 WINWORD.EXE
1892 WINWORD.EXE

pid	process
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1892	WINWORD.EXE
1892	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 2036 wrote to memory of 1108	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 1108	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 1108	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 1108	2036	EQNEDT32.EXE	vbc.exe
PID 1892 wrote to memory of 780	1892	WINWORD.EXE	splwow64.exe
PID 1892 wrote to memory of 780	1892	WINWORD.EXE	splwow64.exe
PID 1892 wrote to memory of 780	1892	WINWORD.EXE	splwow64.exe
PID 1892 wrote to memory of 780	1892	WINWORD.EXE	splwow64.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1108 wrote to memory of 1596	1108	vbc.exe	vbc.exe
PID 1296 wrote to memory of 1996	1296	Explorer.EXE	msdt.exe
PID 1296 wrote to memory of 1996	1296	Explorer.EXE	msdt.exe
PID 1296 wrote to memory of 1996	1296	Explorer.EXE	msdt.exe
PID 1296 wrote to memory of 1996	1296	Explorer.EXE	msdt.exe
PID 1996 wrote to memory of 1492	1996	msdt.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	msdt.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	msdt.exe	cmd.exe
PID 1996 wrote to memory of 1492	1996	msdt.exe	cmd.exe
PID 1996 wrote to memory of 940	1996	msdt.exe	Firefox.exe
PID 1996 wrote to memory of 940	1996	msdt.exe	Firefox.exe
PID 1996 wrote to memory of 940	1996	msdt.exe	Firefox.exe
PID 1996 wrote to memory of 940	1996	msdt.exe	Firefox.exe
PID 1996 wrote to memory of 940	1996	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1492

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:940

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:780

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J2W67U9P\invc_16[1].doc
Filesize
20KB

MD5
211a8ee8e10adc14b944fab7a196a960

SHA1
445901560e0568f9e63ff6195c1bfb0bcd7bd586

SHA256
e7fce9b0a293803a0e3305ed64d0de8896abc0f8d274665c1c89af741434b9e4

SHA512
17db353e1a562f7fddb6b63541c89a8c93fb71d873a346e63bca6abe19772ea326807ca49e8616a2b0790e2e69dc340cc3a8d4efa32a72687a0a0416904f9878

Download Submit
C:\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
C:\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
C:\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
\Users\Public\vbc.exe
Filesize
533KB

MD5
2ca4db9e581608faaacdd0533b4fd783

SHA1
78065a3d2fdc96c1c9de15a1ca7e39cd96be1137

SHA256
2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6

SHA512
fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Download Submit
memory/780-78-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/780-75-0x0000000000000000-mapping.dmp

Download
memory/1108-79-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/1108-76-0x0000000000840000-0x00000000008CC000-memory.dmp

Filesize
560KB

Download
memory/1108-83-0x00000000020C0000-0x00000000020F2000-memory.dmp

Filesize
200KB

Download
memory/1108-72-0x0000000000000000-mapping.dmp

Download
memory/1108-82-0x00000000050F0000-0x000000000515A000-memory.dmp

Filesize
424KB

Download
memory/1108-81-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1296-103-0x0000000008FE0000-0x00000000090CE000-memory.dmp

Filesize
952KB

Download
memory/1296-104-0x0000000008FE0000-0x00000000090CE000-memory.dmp

Filesize
952KB

Download
memory/1296-94-0x00000000072D0000-0x0000000007477000-memory.dmp

Filesize
1.7MB

Download
memory/1304-57-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1304-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1304-54-0x000000002FFF1000-0x000000002FFF4000-memory.dmp

Filesize
12KB

Download
memory/1304-55-0x00000000715E1000-0x00000000715E3000-memory.dmp

Filesize
8KB

Download
memory/1304-58-0x00000000725CD000-0x00000000725D8000-memory.dmp

Filesize
44KB

Download
memory/1304-59-0x00000000725CD000-0x00000000725D8000-memory.dmp

Filesize
44KB

Download
memory/1492-97-0x0000000000000000-mapping.dmp

Download
memory/1596-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1596-88-0x000000000041F840-mapping.dmp

Download
memory/1596-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1596-92-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1596-93-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/1596-87-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1596-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1892-80-0x00000000725CD000-0x00000000725D8000-memory.dmp

Filesize
44KB

Download
memory/1892-64-0x00000000725CD000-0x00000000725D8000-memory.dmp

Filesize
44KB

Download
memory/1892-60-0x000000006B931000-0x000000006B934000-memory.dmp

Filesize
12KB

Download
memory/1996-95-0x0000000000000000-mapping.dmp

Download
memory/1996-100-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/1996-101-0x00000000020B0000-0x0000000002140000-memory.dmp

Filesize
576KB

Download
memory/1996-102-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/1996-99-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/1996-98-0x00000000007B0000-0x00000000008A4000-memory.dmp

Filesize
976KB

Download