formbook | 13cdbb613bb0df701013068c650cf252acfbd5034710710ab099d7c75fd41d30

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aztexnika Ltd BAKU Order.xls
Size

1.5MB
MD5

0096434371fec7c2352199a7c5d746d8
SHA1

42d939a4fb5bd3ab37b20239d181cac781b9ec60
SHA256

13cdbb613bb0df701013068c650cf252acfbd5034710710ab099d7c75fd41d30
SHA512

c684c087e78df4bc1e904f66bbd38b497e3475e41ea5a1db3ec847ffdb11b267a368810c6dc4ec8cbada53c365b30d318e6c169d7d5611b572ac9d0b2fd69029
SSDEEP

24576:XzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDWmhxr5XXXXXXXXXXXXUXXXXXXXrXXX/:YG8VBQ6Q

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1492 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exevjfiz.exevjfiz.exe

pid process

680 vbc.exe
1156 vjfiz.exe
1940 vjfiz.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vjfiz.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation vjfiz.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exevjfiz.exemsdt.exe

pid process

1492 EQNEDT32.EXE
680 vbc.exe
1156 vjfiz.exe
1808 msdt.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	1492	EQNEDT32.EXE

pid	process
680	vbc.exe
1156	vjfiz.exe
1940	vjfiz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	vjfiz.exe

pid	process
1492	EQNEDT32.EXE
680	vbc.exe
1156	vjfiz.exe
1808	msdt.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vjfiz.exevjfiz.exemsdt.exe

description	pid	process	target process
PID 1156 set thread context of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1940 set thread context of 1280	1940	vjfiz.exe	Explorer.EXE
PID 1940 set thread context of 1280	1940	vjfiz.exe	Explorer.EXE
PID 1808 set thread context of 1280	1808	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1492 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1492	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmsdt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1368 EXCEL.EXE

pid	process
1368	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

vjfiz.exemsdt.exe

pid	process
1940	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

vjfiz.exevjfiz.exemsdt.exe

pid process

1156 vjfiz.exe
1940 vjfiz.exe
1940 vjfiz.exe
1940 vjfiz.exe
1940 vjfiz.exe
1808 msdt.exe
1808 msdt.exe
1808 msdt.exe
1808 msdt.exe

pid	process
1156	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1940	vjfiz.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe
1808	msdt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vjfiz.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	1940	vjfiz.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1808	msdt.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1368 EXCEL.EXE
1368 EXCEL.EXE
1368 EXCEL.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EQNEDT32.EXEvbc.exevjfiz.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1492 wrote to memory of 680	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 680	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 680	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 680	1492	EQNEDT32.EXE	vbc.exe
PID 680 wrote to memory of 1156	680	vbc.exe	vjfiz.exe
PID 680 wrote to memory of 1156	680	vbc.exe	vjfiz.exe
PID 680 wrote to memory of 1156	680	vbc.exe	vjfiz.exe
PID 680 wrote to memory of 1156	680	vbc.exe	vjfiz.exe
PID 1156 wrote to memory of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1156 wrote to memory of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1156 wrote to memory of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1156 wrote to memory of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1156 wrote to memory of 1940	1156	vjfiz.exe	vjfiz.exe
PID 1280 wrote to memory of 1808	1280	Explorer.EXE	msdt.exe
PID 1280 wrote to memory of 1808	1280	Explorer.EXE	msdt.exe
PID 1280 wrote to memory of 1808	1280	Explorer.EXE	msdt.exe
PID 1280 wrote to memory of 1808	1280	Explorer.EXE	msdt.exe
PID 1808 wrote to memory of 940	1808	msdt.exe	Firefox.exe
PID 1808 wrote to memory of 940	1808	msdt.exe	Firefox.exe
PID 1808 wrote to memory of 940	1808	msdt.exe	Firefox.exe
PID 1808 wrote to memory of 940	1808	msdt.exe	Firefox.exe
PID 1808 wrote to memory of 940	1808	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Aztexnika Ltd BAKU Order.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:940

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\vjfiz.exe
"C:\Users\Admin\AppData\Local\Temp\vjfiz.exe" C:\Users\Admin\AppData\Local\Temp\tysrzemvxjx.lq
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\vjfiz.exe
"C:\Users\Admin\AppData\Local\Temp\vjfiz.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvicdpxumc.gsh
Filesize
185KB

MD5
6bff3f9f5f10ca6c482120d288b62b08

SHA1
e6e72efca642290d5daaf4c8b2fe5a759e1eadd7

SHA256
499c77843bfd10fce945eab5d76cd783cd1f21aba38a1f36f854825d1f2083da

SHA512
ba7dd6f593bca04792711c46f22137841efc1663aee27c8bc1fe99bc057b5475ef9240880e2a391eed5e99f59142fb49d3d35d8fc558e096127c601ece4f1d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tysrzemvxjx.lq
Filesize
5KB

MD5
36cf5f2a5ec6b153ee2c785c517153fa

SHA1
21fb70c9c27ea827abd77d7adfef003acc7b1b03

SHA256
84a0d75969da88bc18370ded6588bca0d05525a24bc472c1c84bade9fc1c0479

SHA512
d80a2cd1c4d0f86c64e06b728f99a8dee2239f2f0652cc88b0cd02ee28fda16309b3b7cb70b5254821fcec4b6bee640a431f08986faae8f8173b09cee3c09521

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjfiz.exe
Filesize
12KB

MD5
5d2a199396a0bd5027f1d471210eb446

SHA1
3237dea6926772be66227d29a9b361305734af5a

SHA256
ad6a085a27238c1122dfeead4feb7085a04da98ff6805dda8a816d099e46ae97

SHA512
899bc54811858e79d64b1146f37208eee74455fa976e65f83c131ed65eb71a609f32fbeccc2de21328dbbcc100f7749520464b550ce65d278254ff6446b37e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjfiz.exe
Filesize
12KB

MD5
5d2a199396a0bd5027f1d471210eb446

SHA1
3237dea6926772be66227d29a9b361305734af5a

SHA256
ad6a085a27238c1122dfeead4feb7085a04da98ff6805dda8a816d099e46ae97

SHA512
899bc54811858e79d64b1146f37208eee74455fa976e65f83c131ed65eb71a609f32fbeccc2de21328dbbcc100f7749520464b550ce65d278254ff6446b37e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjfiz.exe
Filesize
12KB

MD5
5d2a199396a0bd5027f1d471210eb446

SHA1
3237dea6926772be66227d29a9b361305734af5a

SHA256
ad6a085a27238c1122dfeead4feb7085a04da98ff6805dda8a816d099e46ae97

SHA512
899bc54811858e79d64b1146f37208eee74455fa976e65f83c131ed65eb71a609f32fbeccc2de21328dbbcc100f7749520464b550ce65d278254ff6446b37e73

Download Submit
C:\Users\Public\vbc.exe
Filesize
343KB

MD5
0870a4727fcd6ce557f017f0fed61f51

SHA1
6ad1abe4d5d4f44ea753fb10df927adb1f139f2e

SHA256
14afee34b6a36a32b34c61556e46fef92e6a2d9066c758308bb9caea4a94ae2a

SHA512
7a97ad7ab0f0f23883ca3ee33fdf5ecca2ee3d28df3295ba3b1f1a04b71c62c7dbb7c3bc41d13ac7a84e286b41d130ef4e07a9ad79e7146e9f44baca513a03c5

Download Submit
C:\Users\Public\vbc.exe
Filesize
343KB

MD5
0870a4727fcd6ce557f017f0fed61f51

SHA1
6ad1abe4d5d4f44ea753fb10df927adb1f139f2e

SHA256
14afee34b6a36a32b34c61556e46fef92e6a2d9066c758308bb9caea4a94ae2a

SHA512
7a97ad7ab0f0f23883ca3ee33fdf5ecca2ee3d28df3295ba3b1f1a04b71c62c7dbb7c3bc41d13ac7a84e286b41d130ef4e07a9ad79e7146e9f44baca513a03c5

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
\Users\Admin\AppData\Local\Temp\vjfiz.exe
Filesize
12KB

MD5
5d2a199396a0bd5027f1d471210eb446

SHA1
3237dea6926772be66227d29a9b361305734af5a

SHA256
ad6a085a27238c1122dfeead4feb7085a04da98ff6805dda8a816d099e46ae97

SHA512
899bc54811858e79d64b1146f37208eee74455fa976e65f83c131ed65eb71a609f32fbeccc2de21328dbbcc100f7749520464b550ce65d278254ff6446b37e73

Download Submit
\Users\Admin\AppData\Local\Temp\vjfiz.exe
Filesize
12KB

MD5
5d2a199396a0bd5027f1d471210eb446

SHA1
3237dea6926772be66227d29a9b361305734af5a

SHA256
ad6a085a27238c1122dfeead4feb7085a04da98ff6805dda8a816d099e46ae97

SHA512
899bc54811858e79d64b1146f37208eee74455fa976e65f83c131ed65eb71a609f32fbeccc2de21328dbbcc100f7749520464b550ce65d278254ff6446b37e73

Download Submit
\Users\Public\vbc.exe
Filesize
343KB

MD5
0870a4727fcd6ce557f017f0fed61f51

SHA1
6ad1abe4d5d4f44ea753fb10df927adb1f139f2e

SHA256
14afee34b6a36a32b34c61556e46fef92e6a2d9066c758308bb9caea4a94ae2a

SHA512
7a97ad7ab0f0f23883ca3ee33fdf5ecca2ee3d28df3295ba3b1f1a04b71c62c7dbb7c3bc41d13ac7a84e286b41d130ef4e07a9ad79e7146e9f44baca513a03c5

Download Submit
memory/680-61-0x0000000000000000-mapping.dmp

Download
memory/1156-66-0x0000000000000000-mapping.dmp

Download
memory/1280-81-0x0000000006C00000-0x0000000006D51000-memory.dmp

Filesize
1.3MB

Download
memory/1280-91-0x0000000006D60000-0x0000000006EAB000-memory.dmp

Filesize
1.3MB

Download
memory/1280-92-0x0000000006D60000-0x0000000006EAB000-memory.dmp

Filesize
1.3MB

Download
memory/1280-79-0x0000000004B70000-0x0000000004C33000-memory.dmp

Filesize
780KB

Download
memory/1368-74-0x0000000071E1D000-0x0000000071E28000-memory.dmp

Filesize
44KB

Download
memory/1368-58-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1368-95-0x0000000071E1D000-0x0000000071E28000-memory.dmp

Filesize
44KB

Download
memory/1368-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-55-0x0000000070E31000-0x0000000070E33000-memory.dmp

Filesize
8KB

Download
memory/1368-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-57-0x0000000071E1D000-0x0000000071E28000-memory.dmp

Filesize
44KB

Download
memory/1368-54-0x000000002FEE1000-0x000000002FEE4000-memory.dmp

Filesize
12KB

Download
memory/1808-90-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1808-89-0x0000000001EF0000-0x0000000001F7F000-memory.dmp

Filesize
572KB

Download
memory/1808-88-0x0000000002390000-0x0000000002693000-memory.dmp

Filesize
3.0MB

Download
memory/1808-82-0x0000000000000000-mapping.dmp

Download
memory/1808-86-0x00000000003F0000-0x00000000004E4000-memory.dmp

Filesize
976KB

Download
memory/1808-87-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1940-85-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1940-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-80-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/1940-72-0x00000000004012B0-mapping.dmp

Download
memory/1940-78-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1940-77-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1940-76-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1940-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download