Analysis
-
max time kernel
152s -
max time network
134s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
17-09-2020 06:02
Static task
static1
Behavioral task
behavioral1
Sample
invoice_941235.doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
invoice_941235.doc
Resource
win10v200722
General
-
Target
invoice_941235.doc
-
Size
12KB
-
MD5
c7c80f25d00778c46a8acc0385df0e58
-
SHA1
12cbd6f950bd590647bb40ac72a2549d715e26e8
-
SHA256
b2da1683029eeaebd526bf72a88599d651816a3c756db7a80dc48282579ac137
-
SHA512
b915001c787b4b0c0e59b9519c5de0dff56ec5c6a7807ddfbc063f7ba37c052bdadda0df44f0fccd57cacd8ff07a40a6e1102f600ab63fdca4b2c9a1012b5ab9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1680 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1884 vbc.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXErundll32.exepid process 1680 EQNEDT32.EXE 1680 EQNEDT32.EXE 1680 EQNEDT32.EXE 1972 rundll32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3q1gee573qsc.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3q1gee573qsc.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 316 cmd.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe -
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_1 \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_2 \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_1 \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_2 \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_1 \Users\Admin\AppData\Roaming\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\vbc.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1108 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
rundll32.exeexplorer.exepid process 1972 rundll32.exe 1972 rundll32.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 1972 rundll32.exe 1972 rundll32.exe 316 cmd.exe 316 cmd.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 316 cmd.exe Token: SeRestorePrivilege 316 cmd.exe Token: SeBackupPrivilege 316 cmd.exe Token: SeLoadDriverPrivilege 316 cmd.exe Token: SeCreatePagefilePrivilege 316 cmd.exe Token: SeShutdownPrivilege 316 cmd.exe Token: SeTakeOwnershipPrivilege 316 cmd.exe Token: SeChangeNotifyPrivilege 316 cmd.exe Token: SeCreateTokenPrivilege 316 cmd.exe Token: SeMachineAccountPrivilege 316 cmd.exe Token: SeSecurityPrivilege 316 cmd.exe Token: SeAssignPrimaryTokenPrivilege 316 cmd.exe Token: SeCreateGlobalPrivilege 316 cmd.exe Token: 33 316 cmd.exe Token: SeDebugPrivilege 1456 explorer.exe Token: SeRestorePrivilege 1456 explorer.exe Token: SeBackupPrivilege 1456 explorer.exe Token: SeLoadDriverPrivilege 1456 explorer.exe Token: SeCreatePagefilePrivilege 1456 explorer.exe Token: SeShutdownPrivilege 1456 explorer.exe Token: SeTakeOwnershipPrivilege 1456 explorer.exe Token: SeChangeNotifyPrivilege 1456 explorer.exe Token: SeCreateTokenPrivilege 1456 explorer.exe Token: SeMachineAccountPrivilege 1456 explorer.exe Token: SeSecurityPrivilege 1456 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1456 explorer.exe Token: SeCreateGlobalPrivilege 1456 explorer.exe Token: 33 1456 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1108 WINWORD.EXE 1108 WINWORD.EXE -
Suspicious use of WriteProcessMemory 88 IoCs
Processes:
EQNEDT32.EXEvbc.exerundll32.execmd.exedescription pid process target process PID 1680 wrote to memory of 1884 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1884 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1884 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1884 1680 EQNEDT32.EXE vbc.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 vbc.exe rundll32.exe PID 1972 wrote to memory of 1132 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 1132 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 1132 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 1132 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 1132 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 1972 wrote to memory of 316 1972 rundll32.exe cmd.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe PID 316 wrote to memory of 1456 316 cmd.exe explorer.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\invoice_941235.doc"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vbc.exe"C:\Users\Admin\AppData\Roaming\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe EncoreSlipway,Breathing3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AmahRealgar
-
C:\Users\Admin\AppData\Local\Temp\EncoreSlipway.DLL
-
C:\Users\Admin\AppData\Roaming\vbc.exe
-
C:\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Local\Temp\EncoreSlipway.dll
-
\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Roaming\vbc.exe
-
memory/316-12-0x0000000000000000-mapping.dmp
-
memory/316-13-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/316-14-0x00000000027E0000-0x0000000002893000-memory.dmpFilesize
716KB
-
memory/316-15-0x0000000002DC0000-0x0000000002F41000-memory.dmpFilesize
1.5MB
-
memory/1456-16-0x0000000000000000-mapping.dmp
-
memory/1820-0-0x000007FEF7770000-0x000007FEF79EA000-memory.dmpFilesize
2.5MB
-
memory/1884-4-0x0000000000000000-mapping.dmp
-
memory/1972-7-0x0000000000000000-mapping.dmp
-
memory/1972-11-0x0000000002900000-0x0000000002935000-memory.dmpFilesize
212KB