formbook | baaf33dc951650d56f7604d13ee932371279fef9655f8e55a900c30007ed09c4

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order - R0136983.xls
Size

1.3MB
MD5

00950549802eb44db9b3d88778f8d0e4
SHA1

a427f038b5bcf7d745a5ea894464d733f5d60ae2
SHA256

baaf33dc951650d56f7604d13ee932371279fef9655f8e55a900c30007ed09c4
SHA512

8b2dcdab764327cfaa26c6dcce27234fe308c81c5a901079d343fee69d35e12929e1c7893480472901c26c39cb60db5d07c694301ce9052925ee271e1941d315
SSDEEP

24576:rLKJSSMMednEhakAmmjmFakAmmjmF+MXU/akAmmjmU+MXUt2222222222222222H:rLKzMyaaoWaaoK+MXoaaof+MX0tL

Score

10^/10

formbook gn35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gn35

Decoy

igusa.top

1cweb.online

ifoundmymind.com

highlightscorner.africa

kareeberg.com

conjurai.com

airforcevillagesinc.space

3dprintingpro.net

montelent.africa

willowscatsitting.co.uk

dental-implants-64653.com

byunfussy.com

jbpaintsolutions.com

caliner-bebe.com

hjd54c.com

ronabarandgrill.co.uk

financechainz.com

jsqualitycars.com

cortinasagave.store

barrowfordceltic.org.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1868-85-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1868-91-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/528-98-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/528-100-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 592 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exegpphbrp.exegpphbrp.exe

pid process

540 vbc.exe
1516 gpphbrp.exe
1868 gpphbrp.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exegpphbrp.exe

pid process

592 EQNEDT32.EXE
540 vbc.exe
540 vbc.exe
1516 gpphbrp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	592	EQNEDT32.EXE

pid	process
540	vbc.exe
1516	gpphbrp.exe
1868	gpphbrp.exe

pid	process
592	EQNEDT32.EXE
540	vbc.exe
540	vbc.exe
1516	gpphbrp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gpphbrp.exegpphbrp.execolorcpl.exe

description	pid	process	target process
PID 1516 set thread context of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1868 set thread context of 1212	1868	gpphbrp.exe	Explorer.EXE
PID 528 set thread context of 1212	528	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

592 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
592	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1720 EXCEL.EXE

pid	process
1720	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

gpphbrp.execolorcpl.exe

pid	process
1868	gpphbrp.exe
1868	gpphbrp.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe
528	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

gpphbrp.exegpphbrp.execolorcpl.exe

pid process

1516 gpphbrp.exe
1868 gpphbrp.exe
1868 gpphbrp.exe
1868 gpphbrp.exe
528 colorcpl.exe
528 colorcpl.exe

pid	process
1212	Explorer.EXE

pid	process
1516	gpphbrp.exe
1868	gpphbrp.exe
1868	gpphbrp.exe
1868	gpphbrp.exe
528	colorcpl.exe
528	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

gpphbrp.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1868	gpphbrp.exe
Token: SeDebugPrivilege	528	colorcpl.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1720 EXCEL.EXE
1720 EXCEL.EXE
1720 EXCEL.EXE

pid	process
1720	EXCEL.EXE
1720	EXCEL.EXE
1720	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEvbc.exegpphbrp.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 592 wrote to memory of 540	592	EQNEDT32.EXE	vbc.exe
PID 592 wrote to memory of 540	592	EQNEDT32.EXE	vbc.exe
PID 592 wrote to memory of 540	592	EQNEDT32.EXE	vbc.exe
PID 592 wrote to memory of 540	592	EQNEDT32.EXE	vbc.exe
PID 540 wrote to memory of 1516	540	vbc.exe	gpphbrp.exe
PID 540 wrote to memory of 1516	540	vbc.exe	gpphbrp.exe
PID 540 wrote to memory of 1516	540	vbc.exe	gpphbrp.exe
PID 540 wrote to memory of 1516	540	vbc.exe	gpphbrp.exe
PID 1516 wrote to memory of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1516 wrote to memory of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1516 wrote to memory of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1516 wrote to memory of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1516 wrote to memory of 1868	1516	gpphbrp.exe	gpphbrp.exe
PID 1212 wrote to memory of 528	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 528	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 528	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 528	1212	Explorer.EXE	colorcpl.exe
PID 528 wrote to memory of 1064	528	colorcpl.exe	cmd.exe
PID 528 wrote to memory of 1064	528	colorcpl.exe	cmd.exe
PID 528 wrote to memory of 1064	528	colorcpl.exe	cmd.exe
PID 528 wrote to memory of 1064	528	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order - R0136983.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
3⤵
PID:1064

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe" C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77CA6C26.emf
Filesize
1.4MB

MD5
5c65827565e89d5357d6f81294701c19

SHA1
600aa1899bdc58d12671774e84033366dc931c04

SHA256
dec6f35ceb48260f3ba4e6487c48d3f97b274f2eff29cab00c2c7e677eef4b4f

SHA512
052c177c606d30f4f3b658f60bb3643fffec498cc8fa931b4380aa6b93ac20fa9ef4600645740e99ba2f6d43e333fe783378d14395132819d6fb44787aad196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
Filesize
5KB

MD5
900c373f6c5be8540eae5a626e47a359

SHA1
2737e9fd6c97348be165d25b07fbcf76459949ad

SHA256
0494586849051993d03464b9917ed4e94b2401557cc2a7158dfb2448ce180f5a

SHA512
e2a5552cbf53d0ef5c19c29ebb82b6470732ada49917f46d86a80900e5cefa7f4894d535de4609da027342d5416ecb2b3cda66d862d3ae94eff43fe95977e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlrrrg.a
Filesize
205KB

MD5
71674cfae55662347b48db35362ba924

SHA1
668707609fe97b070604791f76f0d563a94e80b2

SHA256
bfd69cb6188a67e380b526f42377ce2d523c92dbe2d87dd921c6f643ff2fccbc

SHA512
1c10e50d2332af2b8e9b4f98eb55b8add0d527522c21de7c9bee1fcd94a426f09f61c9dcff05be02484ba6357834999622c25993be26c06d616f1c94e64c55a7

Download Submit
C:\Users\Public\vbc.exe
Filesize
293KB

MD5
7c85964484c4e3471124dd4dd5ef34df

SHA1
9a98592a83e9d3ba1dcbe52000e63f9940270fd7

SHA256
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

SHA512
46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d

Download Submit
C:\Users\Public\vbc.exe
Filesize
293KB

MD5
7c85964484c4e3471124dd4dd5ef34df

SHA1
9a98592a83e9d3ba1dcbe52000e63f9940270fd7

SHA256
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

SHA512
46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d

Download Submit
C:\Users\Public\vbc.exe
Filesize
293KB

MD5
7c85964484c4e3471124dd4dd5ef34df

SHA1
9a98592a83e9d3ba1dcbe52000e63f9940270fd7

SHA256
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

SHA512
46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
\Users\Public\vbc.exe
Filesize
293KB

MD5
7c85964484c4e3471124dd4dd5ef34df

SHA1
9a98592a83e9d3ba1dcbe52000e63f9940270fd7

SHA256
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

SHA512
46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d

Download Submit
memory/528-99-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/528-95-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/528-102-0x0000000001D40000-0x0000000001DD4000-memory.dmp

Filesize
592KB

Download
memory/528-100-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/528-98-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/528-97-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/1212-104-0x0000000006F90000-0x0000000007058000-memory.dmp

Filesize
800KB

Download
memory/1212-93-0x0000000006E10000-0x0000000006F90000-memory.dmp

Filesize
1.5MB

Download
memory/1212-89-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/1212-105-0x0000000006F90000-0x0000000007058000-memory.dmp

Filesize
800KB

Download
memory/1212-107-0x0000000006F90000-0x0000000007058000-memory.dmp

Filesize
800KB

Download
memory/1516-81-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1720-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1868-92-0x0000000000330000-0x0000000000345000-memory.dmp

Filesize
84KB

Download
memory/1868-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-90-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1868-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download