formbook | 941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dumas 00045.xls
Size

197KB
MD5

8929528f1020108fb8b259a3e348f322
SHA1

b2d3999e307b587c876301cdc63e9e660d897cb2
SHA256

941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd
SHA512

0a503e28afc67e5e2ae5d19756d852977fea365b1f0a70a9288a61126a4b684267d61ee44f8fa1a643610fe70d41c1c7c45be26ab86d0ef6287e6537a3a0d441
SSDEEP

3072:FjTI8g9jTI8gnOZwGcFdWRaRW2oRS46bwnaPF0VbAdGtAqF4x8XWhcIiVxVXWOyP:1TmNTmnOZyWURWthnwWaXKXupiVryv/

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1440 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exeyuyojlpdd.exeyuyojlpdd.exe

pid process

600 vbc.exe
804 yuyojlpdd.exe
1480 yuyojlpdd.exe

flow	pid	process
3	1440	EQNEDT32.EXE

pid	process
600	vbc.exe
804	yuyojlpdd.exe
1480	yuyojlpdd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yuyojlpdd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	yuyojlpdd.exe

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exeyuyojlpdd.execontrol.exe

pid process

1440 EQNEDT32.EXE
600 vbc.exe
804 yuyojlpdd.exe
1984 control.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1440	EQNEDT32.EXE
600	vbc.exe
804	yuyojlpdd.exe
1984	control.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

yuyojlpdd.exeyuyojlpdd.execontrol.exe

description	pid	process	target process
PID 804 set thread context of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 1480 set thread context of 1216	1480	yuyojlpdd.exe	Explorer.EXE
PID 1480 set thread context of 1216	1480	yuyojlpdd.exe	Explorer.EXE
PID 1984 set thread context of 1216	1984	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1440 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1440	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEcontrol.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1048 EXCEL.EXE

pid	process
1048	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

yuyojlpdd.execontrol.exe

pid	process
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

yuyojlpdd.exeyuyojlpdd.execontrol.exe

pid	process
804	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1480	yuyojlpdd.exe
1984	control.exe
1984	control.exe
1984	control.exe
1984	control.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

yuyojlpdd.exeExplorer.EXEcontrol.exe

description	pid	process
Token: SeDebugPrivilege	1480	yuyojlpdd.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeDebugPrivilege	1984	control.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1048 EXCEL.EXE
1048 EXCEL.EXE
1048 EXCEL.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EQNEDT32.EXEvbc.exeyuyojlpdd.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1440 wrote to memory of 600	1440	EQNEDT32.EXE	vbc.exe
PID 1440 wrote to memory of 600	1440	EQNEDT32.EXE	vbc.exe
PID 1440 wrote to memory of 600	1440	EQNEDT32.EXE	vbc.exe
PID 1440 wrote to memory of 600	1440	EQNEDT32.EXE	vbc.exe
PID 600 wrote to memory of 804	600	vbc.exe	yuyojlpdd.exe
PID 600 wrote to memory of 804	600	vbc.exe	yuyojlpdd.exe
PID 600 wrote to memory of 804	600	vbc.exe	yuyojlpdd.exe
PID 600 wrote to memory of 804	600	vbc.exe	yuyojlpdd.exe
PID 804 wrote to memory of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 804 wrote to memory of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 804 wrote to memory of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 804 wrote to memory of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 804 wrote to memory of 1480	804	yuyojlpdd.exe	yuyojlpdd.exe
PID 1216 wrote to memory of 1984	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 1984	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 1984	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 1984	1216	Explorer.EXE	control.exe
PID 1984 wrote to memory of 1780	1984	control.exe	Firefox.exe
PID 1984 wrote to memory of 1780	1984	control.exe	Firefox.exe
PID 1984 wrote to memory of 1780	1984	control.exe	Firefox.exe
PID 1984 wrote to memory of 1780	1984	control.exe	Firefox.exe
PID 1984 wrote to memory of 1780	1984	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Dumas 00045.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1120

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1780

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uxihpr.zx
Filesize
5KB

MD5
d54e51cfe2eb61eecb8518184631a900

SHA1
a4c20513e75bf1785f4b5658328f7623635f6d53

SHA256
807d62f7c4ec7ff7804a8a88ce0d2f5be710e163d65e6c709ec9f6a675f73d10

SHA512
d0e8397bfaf380622d50aeeb85ae63c3f547a2237f4a5ce43b2f67f79464bbfe46c7f539f1ea42622e7f958aba42375d45d75838bb10403cb398ed61352597f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvvuxvn.cc
Filesize
185KB

MD5
91c02a03c98d9b9fcefdf2c006ad2e51

SHA1
00bc63213b18fe2a1e54560e93c74c83837bbdcb

SHA256
014d38ffaa628106fab91c0f5ca1682624b80891f681ddce51a12dd569ff4c89

SHA512
4fb0f6585fb93af610cdfd06eb06c7038fca1e75226fd440d43a7d948e5492621bf25a9bd69271f00029c27a44563bf4ee8f3bc12651407192497567cf120fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
C:\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
memory/600-61-0x0000000000000000-mapping.dmp

Download
memory/804-66-0x0000000000000000-mapping.dmp

Download
memory/1048-58-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-57-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1048-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1048-79-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1048-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1048-55-0x0000000071A71000-0x0000000071A73000-memory.dmp

Filesize
8KB

Download
memory/1048-92-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1048-54-0x000000002F4C1000-0x000000002F4C4000-memory.dmp

Filesize
12KB

Download
memory/1216-97-0x000007FEEE560000-0x000007FEEE56A000-memory.dmp

Filesize
40KB

Download
memory/1216-78-0x0000000006C00000-0x0000000006D47000-memory.dmp

Filesize
1.3MB

Download
memory/1216-94-0x0000000006800000-0x000000000691A000-memory.dmp

Filesize
1.1MB

Download
memory/1216-93-0x0000000006800000-0x000000000691A000-memory.dmp

Filesize
1.1MB

Download
memory/1216-81-0x0000000006E30000-0x0000000006F85000-memory.dmp

Filesize
1.3MB

Download
memory/1216-96-0x000007FEF6B80000-0x000007FEF6CC3000-memory.dmp

Filesize
1.3MB

Download
memory/1480-76-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1480-77-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/1480-72-0x00000000004012B0-mapping.dmp

Download
memory/1480-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-75-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1480-85-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1480-80-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1480-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-82-0x0000000000000000-mapping.dmp

Download
memory/1984-90-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1984-89-0x0000000001CE0000-0x0000000001D6F000-memory.dmp

Filesize
572KB

Download
memory/1984-88-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/1984-87-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1984-86-0x0000000000210000-0x000000000022F000-memory.dmp

Filesize
124KB

Download