formbook | 5a5817fe411771135283c96d05ac670e36251ba2ed0d6e900d2e0e6952591573

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DETAILS OF BANK TRANSFER USD48908,00.xls
Size

1.3MB
MD5

d085e17676c94c8823ae62adb80b30a0
SHA1

a5525bd1ec686d2d6cd3776236e831473d1a310f
SHA256

5a5817fe411771135283c96d05ac670e36251ba2ed0d6e900d2e0e6952591573
SHA512

4b2b304130105138cfec8d53f6535a4ef7257b215d031b5e34c10fe02a518e5d1f0ed323a5758acd6f837c27328e93977937b3ebc19ba284dc94cb228fc9c1d7
SSDEEP

24576:HLKiSSMMednEhakAmmjmCakAmmjmt+MXU/akAmmjm4+MXU+/WV2222222222222x:HLK2MCaaoxaaoa+MXsaaoT+MXYv

Score

10^/10

formbook sa79 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sa79

Decoy

aidigify.com

angelavamundson.xyz

glicotoday.fun

agencyforbuyers.com

blacklifecoachquiz.com

4e6aqw.site

huawei1990.com

diyetcay.online

chesirechefs.co.uk

generalhospitaleu.africa

hfewha.xyz

lemons2cents.com

rahilprakash.com

kave.tech

netlexfrance.net

youthexsa.africa

car-covers-40809.com

bambooactive.store

fotobugil48.com

kuhler.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-84-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1516-92-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1516-96-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1444-103-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1444-105-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 444 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exetxvsmr.exetxvsmr.exe

pid process

240 vbc.exe
1020 txvsmr.exe
1516 txvsmr.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exetxvsmr.exe

pid process

444 EQNEDT32.EXE
240 vbc.exe
240 vbc.exe
1020 txvsmr.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	444	EQNEDT32.EXE

pid	process
240	vbc.exe
1020	txvsmr.exe
1516	txvsmr.exe

pid	process
444	EQNEDT32.EXE
240	vbc.exe
240	vbc.exe
1020	txvsmr.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

txvsmr.exetxvsmr.exerundll32.exe

description	pid	process	target process
PID 1020 set thread context of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1516 set thread context of 1196	1516	txvsmr.exe	Explorer.EXE
PID 1516 set thread context of 1196	1516	txvsmr.exe	Explorer.EXE
PID 1444 set thread context of 1196	1444	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

444 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
444	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE

pid	process
1972	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

txvsmr.exerundll32.exe

pid	process
1516	txvsmr.exe
1516	txvsmr.exe
1516	txvsmr.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

txvsmr.exetxvsmr.exerundll32.exe

pid process

1020 txvsmr.exe
1516 txvsmr.exe
1516 txvsmr.exe
1516 txvsmr.exe
1516 txvsmr.exe
1444 rundll32.exe
1444 rundll32.exe

pid	process
1196	Explorer.EXE

pid	process
1020	txvsmr.exe
1516	txvsmr.exe
1516	txvsmr.exe
1516	txvsmr.exe
1516	txvsmr.exe
1444	rundll32.exe
1444	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

txvsmr.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	1516	txvsmr.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	1444	rundll32.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1972 EXCEL.EXE
1972 EXCEL.EXE
1972 EXCEL.EXE

pid	process
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEvbc.exetxvsmr.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 444 wrote to memory of 240	444	EQNEDT32.EXE	vbc.exe
PID 444 wrote to memory of 240	444	EQNEDT32.EXE	vbc.exe
PID 444 wrote to memory of 240	444	EQNEDT32.EXE	vbc.exe
PID 444 wrote to memory of 240	444	EQNEDT32.EXE	vbc.exe
PID 240 wrote to memory of 1020	240	vbc.exe	txvsmr.exe
PID 240 wrote to memory of 1020	240	vbc.exe	txvsmr.exe
PID 240 wrote to memory of 1020	240	vbc.exe	txvsmr.exe
PID 240 wrote to memory of 1020	240	vbc.exe	txvsmr.exe
PID 1020 wrote to memory of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1020 wrote to memory of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1020 wrote to memory of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1020 wrote to memory of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1020 wrote to memory of 1516	1020	txvsmr.exe	txvsmr.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 1444	1196	Explorer.EXE	rundll32.exe
PID 1444 wrote to memory of 1988	1444	rundll32.exe	cmd.exe
PID 1444 wrote to memory of 1988	1444	rundll32.exe	cmd.exe
PID 1444 wrote to memory of 1988	1444	rundll32.exe	cmd.exe
PID 1444 wrote to memory of 1988	1444	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DETAILS OF BANK TRANSFER USD48908,00.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\txvsmr.exe"
3⤵
PID:1988

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
"C:\Users\Admin\AppData\Local\Temp\txvsmr.exe" C:\Users\Admin\AppData\Local\Temp\vjztk.pgz
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
"C:\Users\Admin\AppData\Local\Temp\txvsmr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\683186CA.emf
Filesize
1.4MB

MD5
5c65827565e89d5357d6f81294701c19

SHA1
600aa1899bdc58d12671774e84033366dc931c04

SHA256
dec6f35ceb48260f3ba4e6487c48d3f97b274f2eff29cab00c2c7e677eef4b4f

SHA512
052c177c606d30f4f3b658f60bb3643fffec498cc8fa931b4380aa6b93ac20fa9ef4600645740e99ba2f6d43e333fe783378d14395132819d6fb44787aad196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\esziirk.o
Filesize
205KB

MD5
75457929f4a752e804b5af8a2db248ed

SHA1
0de162defe9db66d15bd5be6ee16d0b64674f6cd

SHA256
3122ab74380f4869732e0ac0d7967d815ad179d76dce47700ecc9c06631036d1

SHA512
c62202e6a59fb3de3991387ec7d0c3ab6bf52857fe8e36150e4b6969d1ceeaee4cac4d90586530650ffda1311c2b2a9ca82a909352b21608a240951bc5eba833

Download Submit
C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjztk.pgz
Filesize
5KB

MD5
43ebf30be88b2ecff93689b83917ce96

SHA1
6d55a0d7e7372243f85507af410ed75c24fbe817

SHA256
919c2f5284ba0afb2bc1bb21085c21f6e906cef0582cceb0a05d89803dd3ee5c

SHA512
3ca216e568f7cffb1d2de01227c943681c823bb00baaa9f4b53c0e1f74971feedaeae16e20aef9dfa7c8b74c6d73cfb6f3a86e44c54c0420c4efbb6baf6c6d1d

Download Submit
C:\Users\Public\vbc.exe
Filesize
292KB

MD5
cd375ab06baa7632e9c4e7c951228ef1

SHA1
191c0f1539b7f10bac1f03ed2a73195ece5408b2

SHA256
4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

SHA512
fbf2cce383ec328e014251571a082a8d17dffa310f0aaf6411beae59a0bb9d870ce0f8d146b20655bc08e59541c7652377cec0bb0fbeba793ae6af42c398b3d8

Download Submit
C:\Users\Public\vbc.exe
Filesize
292KB

MD5
cd375ab06baa7632e9c4e7c951228ef1

SHA1
191c0f1539b7f10bac1f03ed2a73195ece5408b2

SHA256
4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

SHA512
fbf2cce383ec328e014251571a082a8d17dffa310f0aaf6411beae59a0bb9d870ce0f8d146b20655bc08e59541c7652377cec0bb0fbeba793ae6af42c398b3d8

Download Submit
C:\Users\Public\vbc.exe
Filesize
292KB

MD5
cd375ab06baa7632e9c4e7c951228ef1

SHA1
191c0f1539b7f10bac1f03ed2a73195ece5408b2

SHA256
4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

SHA512
fbf2cce383ec328e014251571a082a8d17dffa310f0aaf6411beae59a0bb9d870ce0f8d146b20655bc08e59541c7652377cec0bb0fbeba793ae6af42c398b3d8

Download Submit
\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
\Users\Admin\AppData\Local\Temp\txvsmr.exe
Filesize
138KB

MD5
7db58419fb74e71cadb4ba4a640aff4f

SHA1
987056519492e6395c1b43412458211ba2d3e26e

SHA256
57e109d63f79d3a467078222abcd8ec380995e867b034de74b28dc0ffd211f7f

SHA512
57c90ec48634d7c613e19d15d0f464dc1e9c7ade1a5bc0a4df90918fe60e1b5f53d792b938c83de96ef8dc2af19385b0b398830ca192d56817c0aa3158a7a3b4

Download Submit
\Users\Public\vbc.exe
Filesize
292KB

MD5
cd375ab06baa7632e9c4e7c951228ef1

SHA1
191c0f1539b7f10bac1f03ed2a73195ece5408b2

SHA256
4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

SHA512
fbf2cce383ec328e014251571a082a8d17dffa310f0aaf6411beae59a0bb9d870ce0f8d146b20655bc08e59541c7652377cec0bb0fbeba793ae6af42c398b3d8

Download Submit
memory/1196-91-0x0000000004CC0000-0x0000000004DA5000-memory.dmp

Filesize
916KB

Download
memory/1196-95-0x0000000006960000-0x0000000006A57000-memory.dmp

Filesize
988KB

Download
memory/1196-113-0x0000000007430000-0x00000000075C0000-memory.dmp

Filesize
1.6MB

Download
memory/1196-110-0x0000000007430000-0x00000000075C0000-memory.dmp

Filesize
1.6MB

Download
memory/1196-109-0x0000000007430000-0x00000000075C0000-memory.dmp

Filesize
1.6MB

Download
memory/1196-88-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1196-93-0x0000000003810000-0x0000000003910000-memory.dmp

Filesize
1024KB

Download
memory/1444-100-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/1444-104-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/1444-108-0x0000000000980000-0x0000000000A13000-memory.dmp

Filesize
588KB

Download
memory/1444-98-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/1444-105-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1444-102-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/1444-103-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1516-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-94-0x00000000006B0000-0x00000000006C4000-memory.dmp

Filesize
80KB

Download
memory/1516-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-90-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/1516-89-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1516-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-122-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download