formbook | 2aca554d54992c396c459dac71bd00d92d814ca4fdd15e2c9dcd770ca89a6e50

Analysis

max time kernel
173s
max time network
178s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Angebot anfordern#DE5538100- Musterkatalog.xls
Size

1.6MB
MD5

4153bdbb2781414b56edb00def417b1f
SHA1

7191d6b286bbf48cb0b0c6c582cf395eebb145e3
SHA256

2aca554d54992c396c459dac71bd00d92d814ca4fdd15e2c9dcd770ca89a6e50
SHA512

dddf75f258c90587fe60d4bb86594939602f1b8ffeb36068b8e7fd769bb89bd3c68a0e4cd401aa833a65b59859fe54efd9b3f49e1680796a5fb561848d66d0db
SSDEEP

24576:0zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDUmeRr5XXXXXXXXXXXXUXXXXXXXrXXXC:B5h0fuYgM

Score

10^/10

formbook dwdp persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1996 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exewyziyqqllh.exewyziyqqllh.exe

pid process

1108 vbc.exe
2012 wyziyqqllh.exe
1208 wyziyqqllh.exe

flow	pid	process
4	1996	EQNEDT32.EXE

pid	process
1108	vbc.exe
2012	wyziyqqllh.exe
1208	wyziyqqllh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wyziyqqllh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	wyziyqqllh.exe

Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvbc.exewyziyqqllh.exe

pid process

1996 EQNEDT32.EXE
1996 EQNEDT32.EXE
1996 EQNEDT32.EXE
1108 vbc.exe
1108 vbc.exe
2012 wyziyqqllh.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1996	EQNEDT32.EXE
1996	EQNEDT32.EXE
1996	EQNEDT32.EXE
1108	vbc.exe
1108	vbc.exe
2012	wyziyqqllh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wyziyqqllh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecgru = "C:\\Users\\Admin\\AppData\\Roaming\\lcdobatkse\\puisxyjyut.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wyziyqqllh.exe\" C:\\Users\\Admin\\AppData"	wyziyqqllh.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exewlanext.exe

description	pid	process	target process
PID 2012 set thread context of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 1208 set thread context of 1300	1208	wyziyqqllh.exe	Explorer.EXE
PID 1208 set thread context of 1300	1208	wyziyqqllh.exe	Explorer.EXE
PID 1696 set thread context of 1300	1696	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1996 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1996	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEwlanext.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

wyziyqqllh.exewlanext.exe

pid process

1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1696 wlanext.exe
1696 wlanext.exe
1696 wlanext.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exewlanext.exe

pid process

2012 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1208 wyziyqqllh.exe
1696 wlanext.exe
1696 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wyziyqqllh.exeExplorer.EXEwlanext.exe

description pid process

Token: SeDebugPrivilege 1208 wyziyqqllh.exe
Token: SeShutdownPrivilege 1300 Explorer.EXE
Token: SeDebugPrivilege 1696 wlanext.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
2032 EXCEL.EXE
2032 EXCEL.EXE

pid	process
2032	EXCEL.EXE

pid	process
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1696	wlanext.exe
1696	wlanext.exe
1696	wlanext.exe

pid	process
1300	Explorer.EXE

pid	process
2012	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1208	wyziyqqllh.exe
1696	wlanext.exe
1696	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1208	wyziyqqllh.exe
Token: SeShutdownPrivilege	1300	Explorer.EXE
Token: SeDebugPrivilege	1696	wlanext.exe

pid	process
2032	EXCEL.EXE
2032	EXCEL.EXE
2032	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exewyziyqqllh.exewyziyqqllh.exe

description	pid	process	target process
PID 1996 wrote to memory of 1108	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 1108	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 1108	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 1108	1996	EQNEDT32.EXE	vbc.exe
PID 1108 wrote to memory of 2012	1108	vbc.exe	wyziyqqllh.exe
PID 1108 wrote to memory of 2012	1108	vbc.exe	wyziyqqllh.exe
PID 1108 wrote to memory of 2012	1108	vbc.exe	wyziyqqllh.exe
PID 1108 wrote to memory of 2012	1108	vbc.exe	wyziyqqllh.exe
PID 2012 wrote to memory of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 2012 wrote to memory of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 2012 wrote to memory of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 2012 wrote to memory of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 2012 wrote to memory of 1208	2012	wyziyqqllh.exe	wyziyqqllh.exe
PID 1208 wrote to memory of 1696	1208	wyziyqqllh.exe	wlanext.exe
PID 1208 wrote to memory of 1696	1208	wyziyqqllh.exe	wlanext.exe
PID 1208 wrote to memory of 1696	1208	wyziyqqllh.exe	wlanext.exe
PID 1208 wrote to memory of 1696	1208	wyziyqqllh.exe	wlanext.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Angebot anfordern#DE5538100- Musterkatalog.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe" C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
5⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fugegefct.s
Filesize
185KB

MD5
2375912c75db13281f3bfc9c3ddf7646

SHA1
9955467017fcb057d1ca868db84f4f7ebc31fd45

SHA256
f9cdfa1edf4a5f85d8ddaae338fc550580ff5094eed1507c9beca4097298d861

SHA512
56242ec311c00540ebee80b661fb3fcf8674635d48675b17e1de677271ab997f3ae057f009cf34654b5241b11e1a3f0d97f8f99be4e78a4b32b519a7695e5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
Filesize
7KB

MD5
2c406815d04080e2fa43ba9e99ceabd3

SHA1
27b0f2b81e15d7715867accb5fa68f8c8f4ea209

SHA256
b70fa69ab56821b4902e9922d786948c5673440e0f8dd5403385d96d0167cee4

SHA512
32df91288abf935fb71e1fa04beeed0d945877f2ed2830fd7068344523371a05bc5fe973f475e8a1f9b5d95f50ca4ae9ab75a5182a063476209f2cb22b6c9b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Public\vbc.exe
Filesize
333KB

MD5
4c974d9519a2bfe890a2fd763224d1e7

SHA1
2e88feb98658d7ffee549438453aef2bc162b115

SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27

Download Submit
C:\Users\Public\vbc.exe
Filesize
333KB

MD5
4c974d9519a2bfe890a2fd763224d1e7

SHA1
2e88feb98658d7ffee549438453aef2bc162b115

SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Public\vbc.exe
Filesize
333KB

MD5
4c974d9519a2bfe890a2fd763224d1e7

SHA1
2e88feb98658d7ffee549438453aef2bc162b115

SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27

Download Submit
\Users\Public\vbc.exe
Filesize
333KB

MD5
4c974d9519a2bfe890a2fd763224d1e7

SHA1
2e88feb98658d7ffee549438453aef2bc162b115

SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27

Download Submit
\Users\Public\vbc.exe
Filesize
333KB

MD5
4c974d9519a2bfe890a2fd763224d1e7

SHA1
2e88feb98658d7ffee549438453aef2bc162b115

SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27

Download Submit
memory/1108-63-0x0000000000000000-mapping.dmp

Download
memory/1208-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-85-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1208-76-0x00000000004012B0-mapping.dmp

Download
memory/1208-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-80-0x00000000006F0000-0x00000000009F3000-memory.dmp

Filesize
3.0MB

Download
memory/1208-81-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1300-93-0x0000000006D20000-0x0000000006DDE000-memory.dmp

Filesize
760KB

Download
memory/1300-95-0x0000000006D20000-0x0000000006DDE000-memory.dmp

Filesize
760KB

Download
memory/1300-86-0x0000000007230000-0x0000000007394000-memory.dmp

Filesize
1.4MB

Download
memory/1300-82-0x0000000006C30000-0x0000000006D13000-memory.dmp

Filesize
908KB

Download
memory/1696-88-0x0000000000000000-mapping.dmp

Download
memory/1696-92-0x0000000000610000-0x000000000069F000-memory.dmp

Filesize
572KB

Download
memory/1696-94-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1696-91-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/1696-89-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/1696-90-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2012-69-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x000000007279D000-0x00000000727A8000-memory.dmp

Filesize
44KB

Download
memory/2032-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-54-0x000000002F451000-0x000000002F454000-memory.dmp

Filesize
12KB

Download
memory/2032-55-0x00000000717B1000-0x00000000717B3000-memory.dmp

Filesize
8KB

Download
memory/2032-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-58-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/2032-84-0x000000007279D000-0x00000000727A8000-memory.dmp

Filesize
44KB

Download