Analysis
-
max time kernel
143s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:17
Static task
static1
Behavioral task
behavioral1
Sample
invoice.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
invoice.xls
Resource
win10v2004-20230220-en
General
-
Target
invoice.xls
-
Size
1.3MB
-
MD5
ccd88bef786f8ea5476f550b4bf3328a
-
SHA1
eb36320094269ca0e3c7ebcb8405b2d41ec35bf2
-
SHA256
77f0075657d4275615fc35fa3008ed59f05a0b4e6fb785af1fd236b3abc0d1b4
-
SHA512
8cddfd64a141365c9d13b2d0ed329bc4fc21a2d2c623d51b7c29b62c7eb2e9233bc0129df8603f9c1b3a8a0ee6965e84f3100edefcff9f15639ff0d721f66242
-
SSDEEP
24576:WLK+WQmmav30xMSSMMednErP6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXXXpSSMM5:WLKzQmmQ30uMM6uMsR6lr3DGbP
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-85-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1920-89-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1920-90-0x0000000000400000-0x0000000000437000-memory.dmp family_snakekeylogger behavioral1/memory/1920-91-0x00000000003D0000-0x00000000003F6000-memory.dmp family_snakekeylogger behavioral1/memory/1920-92-0x00000000020F0000-0x0000000002130000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 928 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exefzutvwnon.exefzutvwnon.exepid process 1612 vbc.exe 1976 fzutvwnon.exe 1920 fzutvwnon.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exefzutvwnon.exepid process 928 EQNEDT32.EXE 1612 vbc.exe 1612 vbc.exe 1976 fzutvwnon.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fzutvwnon.exedescription pid process target process PID 1976 set thread context of 1920 1976 fzutvwnon.exe fzutvwnon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2028 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fzutvwnon.exepid process 1920 fzutvwnon.exe 1920 fzutvwnon.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fzutvwnon.exepid process 1976 fzutvwnon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fzutvwnon.exedescription pid process Token: SeDebugPrivilege 1920 fzutvwnon.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2028 EXCEL.EXE 2028 EXCEL.EXE 2028 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEvbc.exefzutvwnon.exedescription pid process target process PID 928 wrote to memory of 1612 928 EQNEDT32.EXE vbc.exe PID 928 wrote to memory of 1612 928 EQNEDT32.EXE vbc.exe PID 928 wrote to memory of 1612 928 EQNEDT32.EXE vbc.exe PID 928 wrote to memory of 1612 928 EQNEDT32.EXE vbc.exe PID 1612 wrote to memory of 1976 1612 vbc.exe fzutvwnon.exe PID 1612 wrote to memory of 1976 1612 vbc.exe fzutvwnon.exe PID 1612 wrote to memory of 1976 1612 vbc.exe fzutvwnon.exe PID 1612 wrote to memory of 1976 1612 vbc.exe fzutvwnon.exe PID 1976 wrote to memory of 1920 1976 fzutvwnon.exe fzutvwnon.exe PID 1976 wrote to memory of 1920 1976 fzutvwnon.exe fzutvwnon.exe PID 1976 wrote to memory of 1920 1976 fzutvwnon.exe fzutvwnon.exe PID 1976 wrote to memory of 1920 1976 fzutvwnon.exe fzutvwnon.exe PID 1976 wrote to memory of 1920 1976 fzutvwnon.exe fzutvwnon.exe -
outlook_office_path 1 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe -
outlook_win_path 1 IoCs
Processes:
fzutvwnon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fzutvwnon.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe" C:\Users\Admin\AppData\Local\Temp\amhfv.r3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DC6A8B2.emfFilesize
249KB
MD51a7fbc59e6099e8c42e1f3ea1fc1e57c
SHA1069f119c72e0cf9fbb1149b7c55627bc5da20a89
SHA25659309207b0a12b350fa5936f92c9cc1102fcacbb977717edc979fec025ae708f
SHA512669c1e823eb91fb5ea8c76ee16dcfc8ee415421871b9d7035dbc1a234712b9e80311b21d8aeb61f99c69367c279774e54c56870cede82916b551add45e073ed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3AF7D0B.emfFilesize
1.4MB
MD5d69c22a341e111feea69df6d8c655d60
SHA1ac862337f2efa43627508927f5052ce694012206
SHA25605b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db
SHA512d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c
-
C:\Users\Admin\AppData\Local\Temp\amhfv.rFilesize
6KB
MD55385c914ba21e2acd3ed22e8e8cb531d
SHA141af2470ddf143003b0a5e7e30228bb2925053d0
SHA256ed30c27eb637febd67dc4c5ae3714e88f12b0871543d774ae9ce64f4fb4c36fd
SHA5121fa6c8c7dd10ef32882568f157aa410674dd86981205393df30f055fb755d7dc07364016d44e5e636befeb32258020cd16288fac863e6acdca6c00c032ac8238
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
C:\Users\Admin\AppData\Local\Temp\ujutoge.plFilesize
225KB
MD5ac99a9fb725cf4377037eb3a4f9c6990
SHA1015488a0284f3141ee2a22cfff267fa330f07a9f
SHA256dc05a51ed6fde34cb631f3cc1a61762cb165f86e0b8db5f66db455cd8d9ce78c
SHA5124578355428502a2798a252de5c0b70f0a4598902c3be1732fe7c54ae13a4f4f24c3cb72fcf5b04ac5ae3bf7cf00a2280f73135dcbd8dcb4bc315d8ef02ed55dc
-
C:\Users\Public\vbc.exeFilesize
284KB
MD53d5458f26b59708a5d0da5567189aa41
SHA1826bcb30b6bb04c549caf271b447710b015e316f
SHA256f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
SHA512205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
-
C:\Users\Public\vbc.exeFilesize
284KB
MD53d5458f26b59708a5d0da5567189aa41
SHA1826bcb30b6bb04c549caf271b447710b015e316f
SHA256f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
SHA512205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
-
C:\Users\Public\vbc.exeFilesize
284KB
MD53d5458f26b59708a5d0da5567189aa41
SHA1826bcb30b6bb04c549caf271b447710b015e316f
SHA256f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
SHA512205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
-
\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
\Users\Admin\AppData\Local\Temp\fzutvwnon.exeFilesize
138KB
MD55ae5136cf30b0ac8348fd79052c86b0c
SHA10db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea
SHA256a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e
SHA51286444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9
-
\Users\Public\vbc.exeFilesize
284KB
MD53d5458f26b59708a5d0da5567189aa41
SHA1826bcb30b6bb04c549caf271b447710b015e316f
SHA256f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
SHA512205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
-
memory/1920-95-0x00000000020F0000-0x0000000002130000-memory.dmpFilesize
256KB
-
memory/1920-91-0x00000000003D0000-0x00000000003F6000-memory.dmpFilesize
152KB
-
memory/1920-85-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1920-93-0x00000000020F0000-0x0000000002130000-memory.dmpFilesize
256KB
-
memory/1920-92-0x00000000020F0000-0x0000000002130000-memory.dmpFilesize
256KB
-
memory/1920-90-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1920-89-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2028-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2028-107-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB