formbook | 489e6a77763d56312fa2f10bf16dda809618217106b58709e29ccd8fed01a9a6

Analysis

max time kernel
204s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Product Sample.xls
Size

288KB
MD5

8b330fca4e3f56131727b3fc246ea937
SHA1

ee2f2a899e8f2ee68a1b1bbcf3d54625682944f0
SHA256

489e6a77763d56312fa2f10bf16dda809618217106b58709e29ccd8fed01a9a6
SHA512

c489c96918d453e1527df509d9dce4a853e00764957777f5b38d226fd7dc978ec0ca410f9a76b80d8966a92ae6611ceaee5aa0673fea39713bf27bef68b7387c
SSDEEP

6144:P/uZ+RwPONXoRjDhIcp0fDlavx+W26nAKGy0PQmU1Nd00lzL3:PFQmUdFB

Score

10^/10

formbook us90 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

us90

Decoy

1expresno.app

thepsychic.africa

burjbinghattitower.com

hotelurgell.com

goldenassistant.com

ecovod-servise.ru

kbjnonprofit.com

dope.trade

babylon-it.net

dsatyui.xyz

myexpertisebybbl.app

2185866.com

inboxwired.xyz

lamy.life

gic-invest.info

eliteconstructionsni.co.uk

lamygeo.com

courean.space

cremation-services-75688.com

fapearte.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1848-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1848-82-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/288-85-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/288-90-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 568 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exedsdbla.exedsdbla.exe

pid process

1756 vbc.exe
980 dsdbla.exe
1848 dsdbla.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exedsdbla.exe

pid process

568 EQNEDT32.EXE
1756 vbc.exe
980 dsdbla.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	568	EQNEDT32.EXE

pid	process
1756	vbc.exe
980	dsdbla.exe
1848	dsdbla.exe

pid	process
568	EQNEDT32.EXE
1756	vbc.exe
980	dsdbla.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

dsdbla.exedsdbla.exewuapp.exe

description	pid	process	target process
PID 980 set thread context of 1848	980	dsdbla.exe	dsdbla.exe
PID 1848 set thread context of 1216	1848	dsdbla.exe	Explorer.EXE
PID 1848 set thread context of 1216	1848	dsdbla.exe	Explorer.EXE
PID 288 set thread context of 1216	288	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

568 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
568	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1996 EXCEL.EXE

pid	process
1996	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

dsdbla.exewuapp.exe

pid	process
1848	dsdbla.exe
1848	dsdbla.exe
1848	dsdbla.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

dsdbla.exedsdbla.exewuapp.exe

pid process

980 dsdbla.exe
1848 dsdbla.exe
1848 dsdbla.exe
1848 dsdbla.exe
1848 dsdbla.exe
288 wuapp.exe
288 wuapp.exe

pid	process
1216	Explorer.EXE

pid	process
980	dsdbla.exe
1848	dsdbla.exe
1848	dsdbla.exe
1848	dsdbla.exe
1848	dsdbla.exe
288	wuapp.exe
288	wuapp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dsdbla.exewuapp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1848	dsdbla.exe
Token: SeDebugPrivilege	288	wuapp.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1996 EXCEL.EXE
1996 EXCEL.EXE
1996 EXCEL.EXE

pid	process
1996	EXCEL.EXE
1996	EXCEL.EXE
1996	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEvbc.exedsdbla.exedsdbla.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 568 wrote to memory of 1756	568	EQNEDT32.EXE	vbc.exe
PID 568 wrote to memory of 1756	568	EQNEDT32.EXE	vbc.exe
PID 568 wrote to memory of 1756	568	EQNEDT32.EXE	vbc.exe
PID 568 wrote to memory of 1756	568	EQNEDT32.EXE	vbc.exe
PID 1756 wrote to memory of 980	1756	vbc.exe	dsdbla.exe
PID 1756 wrote to memory of 980	1756	vbc.exe	dsdbla.exe
PID 1756 wrote to memory of 980	1756	vbc.exe	dsdbla.exe
PID 1756 wrote to memory of 980	1756	vbc.exe	dsdbla.exe
PID 980 wrote to memory of 1848	980	dsdbla.exe	dsdbla.exe
PID 980 wrote to memory of 1848	980	dsdbla.exe	dsdbla.exe
PID 980 wrote to memory of 1848	980	dsdbla.exe	dsdbla.exe
PID 980 wrote to memory of 1848	980	dsdbla.exe	dsdbla.exe
PID 980 wrote to memory of 1848	980	dsdbla.exe	dsdbla.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1848 wrote to memory of 288	1848	dsdbla.exe	wuapp.exe
PID 1216 wrote to memory of 1364	1216	Explorer.EXE	mstsc.exe
PID 1216 wrote to memory of 1364	1216	Explorer.EXE	mstsc.exe
PID 1216 wrote to memory of 1364	1216	Explorer.EXE	mstsc.exe
PID 1216 wrote to memory of 1364	1216	Explorer.EXE	mstsc.exe
PID 288 wrote to memory of 692	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 692	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 692	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 692	288	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Product Sample.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:1364

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\dsdbla.exe
"C:\Users\Admin\AppData\Local\Temp\dsdbla.exe" C:\Users\Admin\AppData\Local\Temp\liijoebg.mh
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\dsdbla.exe
"C:\Users\Admin\AppData\Local\Temp\dsdbla.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dsdbla.exe"
6⤵
PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dsdbla.exe
Filesize
104KB

MD5
94602804a99dca871f93226f5b96ea72

SHA1
64337e2b7b7774d49063797b68804146481d641d

SHA256
ccb9e20dd6659f49a7e79337849608b121ca1a52f96a1f9420c9eccf9d66acb2

SHA512
c97648551f3c32c723c524c5ccbf7907c664aaa4cadf8dad8de538544a3690aea7b0182452dab59171b3e44dbb125252279314d97c965a36d4d5d10e3870722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsdbla.exe
Filesize
104KB

MD5
94602804a99dca871f93226f5b96ea72

SHA1
64337e2b7b7774d49063797b68804146481d641d

SHA256
ccb9e20dd6659f49a7e79337849608b121ca1a52f96a1f9420c9eccf9d66acb2

SHA512
c97648551f3c32c723c524c5ccbf7907c664aaa4cadf8dad8de538544a3690aea7b0182452dab59171b3e44dbb125252279314d97c965a36d4d5d10e3870722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsdbla.exe
Filesize
104KB

MD5
94602804a99dca871f93226f5b96ea72

SHA1
64337e2b7b7774d49063797b68804146481d641d

SHA256
ccb9e20dd6659f49a7e79337849608b121ca1a52f96a1f9420c9eccf9d66acb2

SHA512
c97648551f3c32c723c524c5ccbf7907c664aaa4cadf8dad8de538544a3690aea7b0182452dab59171b3e44dbb125252279314d97c965a36d4d5d10e3870722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjldvdpgwtq.wu
Filesize
185KB

MD5
dc178368ef86f9e47be7b46d80973b7f

SHA1
188ad6c5b474a5a173b707a401858236052349fa

SHA256
64536c8c1548dfce51f857bfd87cbe2071ab3888fe3ddda942d6a5827680507c

SHA512
f2d00cfeda08309ee9b6c43d3f7b6250bfd8d7668f563da70e28c2963a11202c499f3d3f835b26ccfecb0439a97bb1360f7d5fc50438b5cab73656960acd71bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\liijoebg.mh
Filesize
5KB

MD5
e074e51a3b0f9f1d64f6eeb23b3032e0

SHA1
08aef3eaf7300ef03a83a285edf2b1171b240331

SHA256
c990ccf8006c966795c1de212b08a205c6bbfd11bfdd5e4010ae318941cca399

SHA512
029d2ab2441bbc8716c09161f4127301c1e1ff8d20c85c9b1326c59ac13a5ad1ef459c446564eb1049fbd8add4ebdd47e0aace6b14a10841564c42042852df72

Download Submit
C:\Users\Public\vbc.exe
Filesize
257KB

MD5
2bdc884f5196976c0de3167589f63522

SHA1
5b978a100bbb83b0bbec915bd1c3b07525196259

SHA256
0646127a521c320e61c31e4ae2c035e53438d7ff8d25e28cd7150367f40d9504

SHA512
a50a9949662bd8e0eafe665c5ab65b1c488c4e3122535908aea91a8584bc005b6744610cb973fcf761ce3165ae324c627d23d144f211e2a57f63a36d13c6d690

Download Submit
C:\Users\Public\vbc.exe
Filesize
257KB

MD5
2bdc884f5196976c0de3167589f63522

SHA1
5b978a100bbb83b0bbec915bd1c3b07525196259

SHA256
0646127a521c320e61c31e4ae2c035e53438d7ff8d25e28cd7150367f40d9504

SHA512
a50a9949662bd8e0eafe665c5ab65b1c488c4e3122535908aea91a8584bc005b6744610cb973fcf761ce3165ae324c627d23d144f211e2a57f63a36d13c6d690

Download Submit
\Users\Admin\AppData\Local\Temp\dsdbla.exe
Filesize
104KB

MD5
94602804a99dca871f93226f5b96ea72

SHA1
64337e2b7b7774d49063797b68804146481d641d

SHA256
ccb9e20dd6659f49a7e79337849608b121ca1a52f96a1f9420c9eccf9d66acb2

SHA512
c97648551f3c32c723c524c5ccbf7907c664aaa4cadf8dad8de538544a3690aea7b0182452dab59171b3e44dbb125252279314d97c965a36d4d5d10e3870722b

Download Submit
\Users\Admin\AppData\Local\Temp\dsdbla.exe
Filesize
104KB

MD5
94602804a99dca871f93226f5b96ea72

SHA1
64337e2b7b7774d49063797b68804146481d641d

SHA256
ccb9e20dd6659f49a7e79337849608b121ca1a52f96a1f9420c9eccf9d66acb2

SHA512
c97648551f3c32c723c524c5ccbf7907c664aaa4cadf8dad8de538544a3690aea7b0182452dab59171b3e44dbb125252279314d97c965a36d4d5d10e3870722b

Download Submit
\Users\Public\vbc.exe
Filesize
257KB

MD5
2bdc884f5196976c0de3167589f63522

SHA1
5b978a100bbb83b0bbec915bd1c3b07525196259

SHA256
0646127a521c320e61c31e4ae2c035e53438d7ff8d25e28cd7150367f40d9504

SHA512
a50a9949662bd8e0eafe665c5ab65b1c488c4e3122535908aea91a8584bc005b6744610cb973fcf761ce3165ae324c627d23d144f211e2a57f63a36d13c6d690

Download Submit
memory/288-84-0x0000000000880000-0x000000000088B000-memory.dmp

Filesize
44KB

Download
memory/288-87-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/288-83-0x0000000000000000-mapping.dmp

Download
memory/288-85-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/288-90-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/288-89-0x0000000001D30000-0x0000000001DC3000-memory.dmp

Filesize
588KB

Download
memory/692-86-0x0000000000000000-mapping.dmp

Download
memory/980-67-0x0000000000000000-mapping.dmp

Download
memory/1216-91-0x00000000041C0000-0x0000000004256000-memory.dmp

Filesize
600KB

Download
memory/1216-88-0x0000000005140000-0x0000000005264000-memory.dmp

Filesize
1.1MB

Download
memory/1216-81-0x0000000005140000-0x0000000005264000-memory.dmp

Filesize
1.1MB

Download
memory/1216-94-0x00000000041C0000-0x0000000004256000-memory.dmp

Filesize
600KB

Download
memory/1216-79-0x0000000004C90000-0x0000000004DA2000-memory.dmp

Filesize
1.1MB

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download
memory/1848-80-0x00000000006F0000-0x0000000000704000-memory.dmp

Filesize
80KB

Download
memory/1848-74-0x000000000041F170-mapping.dmp

Download
memory/1848-78-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1848-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-77-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1848-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-55-0x0000000071851000-0x0000000071853000-memory.dmp

Filesize
8KB

Download
memory/1996-54-0x000000002F571000-0x000000002F574000-memory.dmp

Filesize
12KB

Download
memory/1996-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-57-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/1996-58-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1996-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-93-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/1996-60-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download