formbook | 53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c

General

Target

April Orders.xls
Size

1.0MB
MD5

625c489b71a4a7b7dc61dc3121368f02
SHA1

a36ef17d7c854bd238b6113148b8ec11f54286d7
SHA256

53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c
SHA512

93a0dd13791b1ab3db705c6f74ea820c120a95ae041a6186474c16b19fe1c6d44d0b9ef7a816a47f71c82847b5f7941af88eb1b964dba513fc89c9eb800e2240
SSDEEP

24576:lLKiSSMMednE8akAmmjmRakAmmjmw+MXUlHeA2222222222222222222222K2D0z:lLK2Mnaaoeaaoz+MX7TZVAw

Score

10^/10

formbook purecrypter ar73 downloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

purecrypter

C2

http://192.3.215.60/uo7/Cbqta.png

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1972-94-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1972-100-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1972-105-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/912-107-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/912-109-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 776 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

836 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

776 EQNEDT32.EXE
776 EQNEDT32.EXE
776 EQNEDT32.EXE
776 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	776	EQNEDT32.EXE

pid	process
836	vbc.exe

pid	process
776	EQNEDT32.EXE
776	EQNEDT32.EXE
776	EQNEDT32.EXE
776	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exeMSBuild.exewlanext.exe

description	pid	process	target process
PID 836 set thread context of 1972	836	vbc.exe	MSBuild.exe
PID 1972 set thread context of 1196	1972	MSBuild.exe	Explorer.EXE
PID 1972 set thread context of 1196	1972	MSBuild.exe	Explorer.EXE
PID 912 set thread context of 1196	912	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

776 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
776	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1808 EXCEL.EXE

pid	process
1808	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exeMSBuild.exewlanext.exe

pid	process
1148	powershell.exe
1972	MSBuild.exe
1972	MSBuild.exe
1972	MSBuild.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe
912	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MSBuild.exewlanext.exe

pid process

1972 MSBuild.exe
1972 MSBuild.exe
1972 MSBuild.exe
1972 MSBuild.exe
912 wlanext.exe
912 wlanext.exe

pid	process
1972	MSBuild.exe
1972	MSBuild.exe
1972	MSBuild.exe
1972	MSBuild.exe
912	wlanext.exe
912	wlanext.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exepowershell.exeMSBuild.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	836	vbc.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1972	MSBuild.exe
Token: SeDebugPrivilege	912	wlanext.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1808 EXCEL.EXE
1808 EXCEL.EXE
1808 EXCEL.EXE

pid	process
1808	EXCEL.EXE
1808	EXCEL.EXE
1808	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EQNEDT32.EXEvbc.exeMSBuild.exewlanext.exe

description	pid	process	target process
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 776 wrote to memory of 836	776	EQNEDT32.EXE	vbc.exe
PID 836 wrote to memory of 1148	836	vbc.exe	powershell.exe
PID 836 wrote to memory of 1148	836	vbc.exe	powershell.exe
PID 836 wrote to memory of 1148	836	vbc.exe	powershell.exe
PID 836 wrote to memory of 1148	836	vbc.exe	powershell.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 836 wrote to memory of 1972	836	vbc.exe	MSBuild.exe
PID 1972 wrote to memory of 912	1972	MSBuild.exe	wlanext.exe
PID 1972 wrote to memory of 912	1972	MSBuild.exe	wlanext.exe
PID 1972 wrote to memory of 912	1972	MSBuild.exe	wlanext.exe
PID 1972 wrote to memory of 912	1972	MSBuild.exe	wlanext.exe
PID 912 wrote to memory of 544	912	wlanext.exe	cmd.exe
PID 912 wrote to memory of 544	912	wlanext.exe	cmd.exe
PID 912 wrote to memory of 544	912	wlanext.exe	cmd.exe
PID 912 wrote to memory of 544	912	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\April Orders.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
4⤵
PID:1536

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A02D1DF.emf
Filesize
1.4MB

MD5
5c65827565e89d5357d6f81294701c19

SHA1
600aa1899bdc58d12671774e84033366dc931c04

SHA256
dec6f35ceb48260f3ba4e6487c48d3f97b274f2eff29cab00c2c7e677eef4b4f

SHA512
052c177c606d30f4f3b658f60bb3643fffec498cc8fa931b4380aa6b93ac20fa9ef4600645740e99ba2f6d43e333fe783378d14395132819d6fb44787aad196a

Download Submit
C:\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
C:\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
C:\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
\Users\Public\vbc.exe
Filesize
88KB

MD5
eebdd5b69b2fbe296a4e848b6ece83e7

SHA1
a416b80860c5810aa92c72382eb34c29a36ad34a

SHA256
dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

SHA512
b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa

Download Submit
memory/836-78-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/836-79-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/836-80-0x0000000005EE0000-0x0000000006062000-memory.dmp

Filesize
1.5MB

Download
memory/836-81-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/836-86-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/912-104-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/912-111-0x0000000001CD0000-0x0000000001D63000-memory.dmp

Filesize
588KB

Download
memory/912-106-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/912-108-0x0000000001E70000-0x0000000002173000-memory.dmp

Filesize
3.0MB

Download
memory/912-109-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/912-107-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1148-84-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/1148-85-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/1148-89-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/1148-88-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/1148-87-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/1196-117-0x00000000066B0000-0x00000000067D4000-memory.dmp

Filesize
1.1MB

Download
memory/1196-114-0x00000000066B0000-0x00000000067D4000-memory.dmp

Filesize
1.1MB

Download
memory/1196-113-0x00000000066B0000-0x00000000067D4000-memory.dmp

Filesize
1.1MB

Download
memory/1196-99-0x0000000004C80000-0x0000000004D49000-memory.dmp

Filesize
804KB

Download
memory/1196-103-0x0000000004E10000-0x0000000004ED1000-memory.dmp

Filesize
772KB

Download
memory/1808-122-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1808-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-93-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-102-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1972-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-98-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1972-97-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1972-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads