formbook | 941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-11-2022 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd.xls
Size

197KB
MD5

8929528f1020108fb8b259a3e348f322
SHA1

b2d3999e307b587c876301cdc63e9e660d897cb2
SHA256

941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd
SHA512

0a503e28afc67e5e2ae5d19756d852977fea365b1f0a70a9288a61126a4b684267d61ee44f8fa1a643610fe70d41c1c7c45be26ab86d0ef6287e6537a3a0d441
SSDEEP

3072:FjTI8g9jTI8gnOZwGcFdWRaRW2oRS46bwnaPF0VbAdGtAqF4x8XWhcIiVxVXWOyP:1TmNTmnOZyWURWthnwWaXKXupiVryv/

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1928 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exeyuyojlpdd.exeyuyojlpdd.exe

pid process

1440 vbc.exe
836 yuyojlpdd.exe
1820 yuyojlpdd.exe

flow	pid	process
3	1928	EQNEDT32.EXE

pid	process
1440	vbc.exe
836	yuyojlpdd.exe
1820	yuyojlpdd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yuyojlpdd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	yuyojlpdd.exe

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exeyuyojlpdd.exehelp.exe

pid process

1928 EQNEDT32.EXE
1440 vbc.exe
836 yuyojlpdd.exe
768 help.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1928	EQNEDT32.EXE
1440	vbc.exe
836	yuyojlpdd.exe
768	help.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

yuyojlpdd.exeyuyojlpdd.exehelp.exe

description	pid	process	target process
PID 836 set thread context of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 1820 set thread context of 1384	1820	yuyojlpdd.exe	Explorer.EXE
PID 768 set thread context of 1384	768	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1928 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1928	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEhelp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

968 EXCEL.EXE

pid	process
968	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

yuyojlpdd.exehelp.exe

pid	process
1820	yuyojlpdd.exe
1820	yuyojlpdd.exe
1820	yuyojlpdd.exe
1820	yuyojlpdd.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

yuyojlpdd.exeyuyojlpdd.exehelp.exe

pid process

836 yuyojlpdd.exe
1820 yuyojlpdd.exe
1820 yuyojlpdd.exe
1820 yuyojlpdd.exe
768 help.exe
768 help.exe
768 help.exe
768 help.exe

pid	process
836	yuyojlpdd.exe
1820	yuyojlpdd.exe
1820	yuyojlpdd.exe
1820	yuyojlpdd.exe
768	help.exe
768	help.exe
768	help.exe
768	help.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

yuyojlpdd.exehelp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1820	yuyojlpdd.exe
Token: SeDebugPrivilege	768	help.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

968 EXCEL.EXE
968 EXCEL.EXE
968 EXCEL.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
968	EXCEL.EXE
968	EXCEL.EXE
968	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EQNEDT32.EXEvbc.exeyuyojlpdd.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1928 wrote to memory of 1440	1928	EQNEDT32.EXE	vbc.exe
PID 1928 wrote to memory of 1440	1928	EQNEDT32.EXE	vbc.exe
PID 1928 wrote to memory of 1440	1928	EQNEDT32.EXE	vbc.exe
PID 1928 wrote to memory of 1440	1928	EQNEDT32.EXE	vbc.exe
PID 1440 wrote to memory of 836	1440	vbc.exe	yuyojlpdd.exe
PID 1440 wrote to memory of 836	1440	vbc.exe	yuyojlpdd.exe
PID 1440 wrote to memory of 836	1440	vbc.exe	yuyojlpdd.exe
PID 1440 wrote to memory of 836	1440	vbc.exe	yuyojlpdd.exe
PID 836 wrote to memory of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 836 wrote to memory of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 836 wrote to memory of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 836 wrote to memory of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 836 wrote to memory of 1820	836	yuyojlpdd.exe	yuyojlpdd.exe
PID 1384 wrote to memory of 768	1384	Explorer.EXE	help.exe
PID 1384 wrote to memory of 768	1384	Explorer.EXE	help.exe
PID 1384 wrote to memory of 768	1384	Explorer.EXE	help.exe
PID 1384 wrote to memory of 768	1384	Explorer.EXE	help.exe
PID 768 wrote to memory of 1380	768	help.exe	Firefox.exe
PID 768 wrote to memory of 1380	768	help.exe	Firefox.exe
PID 768 wrote to memory of 1380	768	help.exe	Firefox.exe
PID 768 wrote to memory of 1380	768	help.exe	Firefox.exe
PID 768 wrote to memory of 1380	768	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\941e0547c51948f5a4e8798b2455eb420d48923f042a4fd8bfadef2956dca6cd.xls
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1380

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
"C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uxihpr.zx
Filesize
5KB

MD5
d54e51cfe2eb61eecb8518184631a900

SHA1
a4c20513e75bf1785f4b5658328f7623635f6d53

SHA256
807d62f7c4ec7ff7804a8a88ce0d2f5be710e163d65e6c709ec9f6a675f73d10

SHA512
d0e8397bfaf380622d50aeeb85ae63c3f547a2237f4a5ce43b2f67f79464bbfe46c7f539f1ea42622e7f958aba42375d45d75838bb10403cb398ed61352597f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvvuxvn.cc
Filesize
185KB

MD5
91c02a03c98d9b9fcefdf2c006ad2e51

SHA1
00bc63213b18fe2a1e54560e93c74c83837bbdcb

SHA256
014d38ffaa628106fab91c0f5ca1682624b80891f681ddce51a12dd569ff4c89

SHA512
4fb0f6585fb93af610cdfd06eb06c7038fca1e75226fd440d43a7d948e5492621bf25a9bd69271f00029c27a44563bf4ee8f3bc12651407192497567cf120fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
C:\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
C:\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Admin\AppData\Local\Temp\yuyojlpdd.exe
Filesize
8KB

MD5
b4d86ad7d19d5582a1cdd164f173d183

SHA1
62e9ea7e253105348dc04f87f49c5b83fd6abdc6

SHA256
8b034e2390d543fca81b71124c29304ee20a8d053170709fa11f061141ed11d2

SHA512
a512b5161249857d13640dfd1797c8dfd097e42a402ba546f6a4b8e272e3b050f3c2453faa86fe41cdda5a5216d2a50131c0c683ff0bfaf8887ef150a63a0180

Download Submit
\Users\Public\vbc.exe
Filesize
226KB

MD5
f30dc6dd8fe2e44bf9b8c45115e6f83c

SHA1
cf0033fda00be69b914807455b696b37c24ad9cf

SHA256
1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

SHA512
7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

Download Submit
memory/768-82-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/768-79-0x0000000000000000-mapping.dmp

Download
memory/768-83-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/768-84-0x00000000005C0000-0x000000000064F000-memory.dmp

Filesize
572KB

Download
memory/768-85-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/768-81-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/836-66-0x0000000000000000-mapping.dmp

Download
memory/968-80-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/968-58-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000071C11000-0x0000000071C13000-memory.dmp

Filesize
8KB

Download
memory/968-88-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/968-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/968-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/968-54-0x000000002F4C1000-0x000000002F4C4000-memory.dmp

Filesize
12KB

Download
memory/968-57-0x0000000072BFD000-0x0000000072C08000-memory.dmp

Filesize
44KB

Download
memory/1384-87-0x0000000004B30000-0x0000000004BDF000-memory.dmp

Filesize
700KB

Download
memory/1384-78-0x00000000074B0000-0x0000000007645000-memory.dmp

Filesize
1.6MB

Download
memory/1384-90-0x0000000004B30000-0x0000000004BDF000-memory.dmp

Filesize
700KB

Download
memory/1440-61-0x0000000000000000-mapping.dmp

Download
memory/1820-72-0x00000000004012B0-mapping.dmp

Download
memory/1820-75-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1820-77-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1820-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-76-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download