formbook | b2494aaabd68a29cbb11be4d3164f04657b24e5887345625704741da9515307a

Analysis

max time kernel
186s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D22122SG_001 Fresa General Trade.xls
Size

1.5MB
MD5

7897d067062d4d5d0824890c39a6ccda
SHA1

daa82905ae468f5087bbbf51b8b1425367d8b278
SHA256

b2494aaabd68a29cbb11be4d3164f04657b24e5887345625704741da9515307a
SHA512

479f9c20e63e5883735d234f4f5c7d8b6c4f9d06a535887c3bcfc17aabdc67b18793deeece62965c1e81ef251855162792d2c62ccb9da8c9b737cb3a1bc2b8e6
SSDEEP

24576:pzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDQmwor5XXXXXXXXXXXXUXXXXXXXrXXXL:qwzD5SGvu

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1980 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exerbygg.exerbygg.exe

pid process

108 vbc.exe
812 rbygg.exe
468 rbygg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rbygg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation rbygg.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvbc.exerbygg.exeNAPSTAT.EXE

pid process

1980 EQNEDT32.EXE
1980 EQNEDT32.EXE
1980 EQNEDT32.EXE
108 vbc.exe
812 rbygg.exe
1128 NAPSTAT.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	1980	EQNEDT32.EXE

pid	process
108	vbc.exe
812	rbygg.exe
468	rbygg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	rbygg.exe

pid	process
1980	EQNEDT32.EXE
1980	EQNEDT32.EXE
1980	EQNEDT32.EXE
108	vbc.exe
812	rbygg.exe
1128	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rbygg.exerbygg.exeNAPSTAT.EXE

description	pid	process	target process
PID 812 set thread context of 468	812	rbygg.exe	rbygg.exe
PID 468 set thread context of 1396	468	rbygg.exe	Explorer.EXE
PID 1128 set thread context of 1396	1128	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1980 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1980	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXENAPSTAT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

908 EXCEL.EXE

pid	process
908	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

rbygg.exeNAPSTAT.EXE

pid	process
468	rbygg.exe
468	rbygg.exe
468	rbygg.exe
468	rbygg.exe
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

rbygg.exerbygg.exeNAPSTAT.EXE

pid process

812 rbygg.exe
468 rbygg.exe
468 rbygg.exe
468 rbygg.exe
1128 NAPSTAT.EXE
1128 NAPSTAT.EXE
1128 NAPSTAT.EXE
1128 NAPSTAT.EXE

pid	process
812	rbygg.exe
468	rbygg.exe
468	rbygg.exe
468	rbygg.exe
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE
1128	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rbygg.exeNAPSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	468	rbygg.exe
Token: SeDebugPrivilege	1128	NAPSTAT.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

908 EXCEL.EXE
908 EXCEL.EXE
908 EXCEL.EXE
908 EXCEL.EXE
908 EXCEL.EXE

pid	process
908	EXCEL.EXE
908	EXCEL.EXE
908	EXCEL.EXE
908	EXCEL.EXE
908	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EQNEDT32.EXEvbc.exerbygg.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1980 wrote to memory of 108	1980	EQNEDT32.EXE	vbc.exe
PID 1980 wrote to memory of 108	1980	EQNEDT32.EXE	vbc.exe
PID 1980 wrote to memory of 108	1980	EQNEDT32.EXE	vbc.exe
PID 1980 wrote to memory of 108	1980	EQNEDT32.EXE	vbc.exe
PID 108 wrote to memory of 812	108	vbc.exe	rbygg.exe
PID 108 wrote to memory of 812	108	vbc.exe	rbygg.exe
PID 108 wrote to memory of 812	108	vbc.exe	rbygg.exe
PID 108 wrote to memory of 812	108	vbc.exe	rbygg.exe
PID 812 wrote to memory of 468	812	rbygg.exe	rbygg.exe
PID 812 wrote to memory of 468	812	rbygg.exe	rbygg.exe
PID 812 wrote to memory of 468	812	rbygg.exe	rbygg.exe
PID 812 wrote to memory of 468	812	rbygg.exe	rbygg.exe
PID 812 wrote to memory of 468	812	rbygg.exe	rbygg.exe
PID 1396 wrote to memory of 1128	1396	Explorer.EXE	NAPSTAT.EXE
PID 1396 wrote to memory of 1128	1396	Explorer.EXE	NAPSTAT.EXE
PID 1396 wrote to memory of 1128	1396	Explorer.EXE	NAPSTAT.EXE
PID 1396 wrote to memory of 1128	1396	Explorer.EXE	NAPSTAT.EXE
PID 1128 wrote to memory of 1624	1128	NAPSTAT.EXE	Firefox.exe
PID 1128 wrote to memory of 1624	1128	NAPSTAT.EXE	Firefox.exe
PID 1128 wrote to memory of 1624	1128	NAPSTAT.EXE	Firefox.exe
PID 1128 wrote to memory of 1624	1128	NAPSTAT.EXE	Firefox.exe
PID 1128 wrote to memory of 1624	1128	NAPSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\D22122SG_001 Fresa General Trade.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1624

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\rbygg.exe
"C:\Users\Admin\AppData\Local\Temp\rbygg.exe" C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tkt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\rbygg.exe
"C:\Users\Admin\AppData\Local\Temp\rbygg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tkt
Filesize
5KB

MD5
5def413bb305e22659152545633d4394

SHA1
ea186096bc4445be3a749bfe98ff1549f822da5e

SHA256
69ac40a2aeebad2a280bb794d8a8f0a2e2d195739b6317d4f94897bc22a51309

SHA512
e4917aced9bae7c29d4bb553a8675596719c8ff5e39cd8f034ae897197fd662b596b013311d010b9282fa269ae03fdc6aba27c2e84ba9f350771ff7a022e2144

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbygg.exe
Filesize
267KB

MD5
8dcd475914550c7b97c0692d42b0b5cc

SHA1
07f9a2e01086f31881d2b46447a30032ddaf1b75

SHA256
408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

SHA512
5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbygg.exe
Filesize
267KB

MD5
8dcd475914550c7b97c0692d42b0b5cc

SHA1
07f9a2e01086f31881d2b46447a30032ddaf1b75

SHA256
408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

SHA512
5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbygg.exe
Filesize
267KB

MD5
8dcd475914550c7b97c0692d42b0b5cc

SHA1
07f9a2e01086f31881d2b46447a30032ddaf1b75

SHA256
408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

SHA512
5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiidn.o
Filesize
185KB

MD5
c985ca943df871d4ca23679cb7be7dd7

SHA1
a6d315d44a90d685deb4eea6c6778ed2e5f0f575

SHA256
2b159ae78ee415b70683cbc5fc7d479b9dc62c127d98afa021f10824ca8fb8ab

SHA512
5d471a2a84751b756863e4766f7ec1f288c08482ac365e90726501dc385a99da72a6b7104e7dfeb365926997c7df1aa22f9f9c8b343ed60d53ed868b3e8933c4

Download Submit
C:\Users\Public\vbc.exe
Filesize
334KB

MD5
2b087c00777a630a4100c122f4687783

SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67

SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

Download Submit
C:\Users\Public\vbc.exe
Filesize
334KB

MD5
2b087c00777a630a4100c122f4687783

SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67

SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

Download Submit
\Users\Admin\AppData\Local\Temp\rbygg.exe
Filesize
267KB

MD5
8dcd475914550c7b97c0692d42b0b5cc

SHA1
07f9a2e01086f31881d2b46447a30032ddaf1b75

SHA256
408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

SHA512
5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

Download Submit
\Users\Admin\AppData\Local\Temp\rbygg.exe
Filesize
267KB

MD5
8dcd475914550c7b97c0692d42b0b5cc

SHA1
07f9a2e01086f31881d2b46447a30032ddaf1b75

SHA256
408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4

SHA512
5e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
804KB

MD5
b09588d000ef4bf2a3dddd85bd701423

SHA1
44a810ff8920a340a30b66d932253555143dc28b

SHA256
ce4ffc1a12150b8523378553f2a97dd3fc44d5210ae6c296ab31e2c78f0d03c3

SHA512
1d807d92da34ccba4628f2a55c3ac1c03ff63925d79e266b4e52d71002228cbde76206ec696c3e25143fc2e0cab56589155666ff6f8ea0ebfd5ebcd362168e2a

Download Submit
\Users\Public\vbc.exe
Filesize
334KB

MD5
2b087c00777a630a4100c122f4687783

SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67

SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

Download Submit
\Users\Public\vbc.exe
Filesize
334KB

MD5
2b087c00777a630a4100c122f4687783

SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67

SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

Download Submit
\Users\Public\vbc.exe
Filesize
334KB

MD5
2b087c00777a630a4100c122f4687783

SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67

SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869

SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b

Download Submit
memory/108-64-0x0000000000000000-mapping.dmp

Download
memory/468-80-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/468-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-79-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/468-78-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/468-75-0x00000000004012B0-mapping.dmp

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/908-93-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/908-55-0x0000000071D11000-0x0000000071D13000-memory.dmp

Filesize
8KB

Download
memory/908-57-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/908-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/908-59-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/908-54-0x000000002F591000-0x000000002F594000-memory.dmp

Filesize
12KB

Download
memory/908-58-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1128-84-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1128-85-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/1128-86-0x0000000000420000-0x00000000004AF000-memory.dmp

Filesize
572KB

Download
memory/1128-87-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1128-83-0x0000000000A40000-0x0000000000A86000-memory.dmp

Filesize
280KB

Download
memory/1128-82-0x0000000000000000-mapping.dmp

Download
memory/1396-88-0x0000000004930000-0x0000000004A21000-memory.dmp

Filesize
964KB

Download
memory/1396-91-0x0000000004930000-0x0000000004A21000-memory.dmp

Filesize
964KB

Download
memory/1396-81-0x0000000007080000-0x00000000071EB000-memory.dmp

Filesize
1.4MB

Download