formbook | 8be101509461d8954f93b6898c1fe407f6a95c78de3b64392e5b785ce55df5b0

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

1.1MB
MD5

919c0f851b252a6c834b5ba9470e6c0d
SHA1

df40f89bbc105c96aa93ce2465a3ed06cb7e065a
SHA256

8be101509461d8954f93b6898c1fe407f6a95c78de3b64392e5b785ce55df5b0
SHA512

ca41ce37d8d30a6549847df759dc810ea11d9b598a776bac28660c811fc479f7a6563004a851c1d786755ed0d94995e2086dd0d924f71d853c0d7c623f2cef9f
SSDEEP

24576:iFetUMdicm7bVFee59y5hm10LPHjAqbnpQ2IHYQRrGrdXXXXXXXXXXXXoXXXXXXf:ifRbHdybLbfnevHYQRz

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-101-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/524-105-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1684-113-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1684-115-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1872 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1888 vbc.exe
2024 vbc.exe
524 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1872 EQNEDT32.EXE
1872 EQNEDT32.EXE
1872 EQNEDT32.EXE
1872 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	1872	EQNEDT32.EXE

pid	process
1872	EQNEDT32.EXE
1872	EQNEDT32.EXE
1872	EQNEDT32.EXE
1872	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exesvchost.exe

description	pid	process	target process
PID 1888 set thread context of 524	1888	vbc.exe	vbc.exe
PID 524 set thread context of 1268	524	vbc.exe	Explorer.EXE
PID 1684 set thread context of 1268	1684	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1660 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1872 EQNEDT32.EXE

pid	process
1660	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1872	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1716 EXCEL.EXE

pid	process
1716	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

vbc.exevbc.exepowershell.exesvchost.exe

pid	process
1888	vbc.exe
1888	vbc.exe
524	vbc.exe
524	vbc.exe
1720	powershell.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exesvchost.exe

pid process

524 vbc.exe
524 vbc.exe
524 vbc.exe
1684 svchost.exe
1684 svchost.exe

pid	process
524	vbc.exe
524	vbc.exe
524	vbc.exe
1684	svchost.exe
1684	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exepowershell.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1888	vbc.exe
Token: SeDebugPrivilege	524	vbc.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1684	svchost.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1716 EXCEL.EXE
1716 EXCEL.EXE
1716 EXCEL.EXE

pid	process
1716	EXCEL.EXE
1716	EXCEL.EXE
1716	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EQNEDT32.EXEvbc.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1872 wrote to memory of 1888	1872	EQNEDT32.EXE	vbc.exe
PID 1872 wrote to memory of 1888	1872	EQNEDT32.EXE	vbc.exe
PID 1872 wrote to memory of 1888	1872	EQNEDT32.EXE	vbc.exe
PID 1872 wrote to memory of 1888	1872	EQNEDT32.EXE	vbc.exe
PID 1888 wrote to memory of 1720	1888	vbc.exe	powershell.exe
PID 1888 wrote to memory of 1720	1888	vbc.exe	powershell.exe
PID 1888 wrote to memory of 1720	1888	vbc.exe	powershell.exe
PID 1888 wrote to memory of 1720	1888	vbc.exe	powershell.exe
PID 1888 wrote to memory of 1660	1888	vbc.exe	schtasks.exe
PID 1888 wrote to memory of 1660	1888	vbc.exe	schtasks.exe
PID 1888 wrote to memory of 1660	1888	vbc.exe	schtasks.exe
PID 1888 wrote to memory of 1660	1888	vbc.exe	schtasks.exe
PID 1888 wrote to memory of 2024	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 2024	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 2024	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 2024	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1888 wrote to memory of 524	1888	vbc.exe	vbc.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	svchost.exe
PID 1684 wrote to memory of 1496	1684	svchost.exe	cmd.exe
PID 1684 wrote to memory of 1496	1684	svchost.exe	cmd.exe
PID 1684 wrote to memory of 1496	1684	svchost.exe	cmd.exe
PID 1684 wrote to memory of 1496	1684	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:1496

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TitjfUZFFcx.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TitjfUZFFcx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2270.tmp"
3⤵
- Creates scheduled task(s)
PID:1660

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2024

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DF2670B.emf
Filesize
485KB

MD5
6fcc23c008fdc19bdda8e01d26e94149

SHA1
5419409ce4ab079def31ca74619d84062b1060ef

SHA256
5d6021f20aab9393e26f84d16e25de574b934d1cad569debb86847a33c529e8b

SHA512
2d6114392f437ce91774deb6b4760105672f1628273ea45e41f4af7454748ae8212db3047f27a15fc3ad4add15586a5d47a15519fb2200fe4ee7e4d5f87c3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3ABCE44F.emf
Filesize
3.2MB

MD5
d3645ec022b22cd69b407ae76e888112

SHA1
30b648bf67e44f5292622406597501f2b98a9787

SHA256
8220af7744ab84a78ddf9233e5281904a42dbd8b3f1c8098123825f1871605f7

SHA512
ca300c21cd20b05da0a6a249b34f29f6c450c300f851f000f5e16dbd02c5588a4e752a6f833ef4363e5496c6812574bbc5bbe89627f551f569593d30547e5ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A461204.emf
Filesize
34KB

MD5
50a2efdd301de2a272aa76cb7bfc5897

SHA1
c9f15e852fe55ac37edd08f8a61ff8840547804b

SHA256
ff73bd40a12e850336a53094fdded649f1e5705380c1399216e5f4489e2551be

SHA512
f0547c3f24fa8ec07b70ca5046c05f9a24b76488dcd3d488c874c3d1d8c2c81f4c4a3899a57469e887592240c97471a17da2dab5c7bc3bc981c4454d46282c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2270.tmp
Filesize
1KB

MD5
e4e32351a3fbe687a3b08200d6e16b8d

SHA1
a2c6bacb09fda6f3234f15959f36a154f2eee9a0

SHA256
ab5c6a54c11607847db9965f25bb834258bf57fdd0c4a519cc48a8108196827a

SHA512
9792f48837ee3166feba15283cf4add36a17ef5c2550665a2006f893b76e17e03bbe00a993e57cf5ffd9651eeb2dfeaac3aa1381405ce364dedc3826133cab60

Download Submit
C:\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
C:\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
C:\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
C:\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
C:\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
\Users\Public\vbc.exe
Filesize
860KB

MD5
a68aec582225be1bfc5ac588c5fb0374

SHA1
f7b914779040bfdbdd3fcb9836923d8b8717f7df

SHA256
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df

SHA512
1c3666c5b25c77a0f58e98b96e6ece0ea1c778daab9315451ceb9d824bbf789dea63813a1c3ce057fd44824c43e9a61eaa21f90b1fe540032456ee24a917c0ea

Download Submit
memory/524-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-107-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/524-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-106-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1268-125-0x0000000003980000-0x0000000003A31000-memory.dmp

Filesize
708KB

Download
memory/1268-108-0x0000000005FF0000-0x00000000060BE000-memory.dmp

Filesize
824KB

Download
memory/1268-146-0x0000000003980000-0x0000000003A31000-memory.dmp

Filesize
708KB

Download
memory/1268-148-0x0000000003980000-0x0000000003A31000-memory.dmp

Filesize
708KB

Download
memory/1684-111-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/1684-115-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1684-117-0x00000000006D0000-0x0000000000763000-memory.dmp

Filesize
588KB

Download
memory/1684-114-0x00000000007A0000-0x0000000000AA3000-memory.dmp

Filesize
3.0MB

Download
memory/1684-113-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1684-112-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/1716-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1716-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-109-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1720-110-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1720-104-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1888-94-0x0000000000C80000-0x0000000000CB8000-memory.dmp

Filesize
224KB

Download
memory/1888-88-0x0000000005DA0000-0x0000000005E50000-memory.dmp

Filesize
704KB

Download
memory/1888-87-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1888-86-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1888-85-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/1888-84-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1888-83-0x0000000000CC0000-0x0000000000D9E000-memory.dmp

Filesize
888KB

Download