Analysis
-
max time kernel
77s -
max time network
80s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 07:15
Static task
static1
Behavioral task
behavioral1
Sample
Import and Export Regulation.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Import and Export Regulation.xlsx
Resource
win10v20201028
General
-
Target
Import and Export Regulation.xlsx
-
Size
2.3MB
-
MD5
b42c2fed481f5ec6f99f678d1f6f036f
-
SHA1
c91e029f1e0304e0b1439085fae57609d7e1962d
-
SHA256
c0b84d4a7affdc167863953ad494d02550d020a6efb083a1375d86a1b3b76edc
-
SHA512
cded7c450a0a6ac0fdad1b88306451ec29fd3319f4c1fa9d48d7274c20a49eb8bf793451bfdf75451882b83c3c54705cbe74563e0182ceee7a42576421322464
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-19-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1184-20-0x0000000000402BCB-mapping.dmp netwire behavioral1/memory/1184-23-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 2028 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1732 vbc.exe 1224 vbc.exe 1184 vbc.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 2028 EQNEDT32.EXE 2028 EQNEDT32.EXE 2028 EQNEDT32.EXE 2028 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Public\\vbc.exe" vbc.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum vbc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1732 set thread context of 1184 1732 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 740 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepid process 1732 vbc.exe 1732 vbc.exe 1732 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1732 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 740 EXCEL.EXE 740 EXCEL.EXE 740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 2028 wrote to memory of 1732 2028 EQNEDT32.EXE vbc.exe PID 2028 wrote to memory of 1732 2028 EQNEDT32.EXE vbc.exe PID 2028 wrote to memory of 1732 2028 EQNEDT32.EXE vbc.exe PID 2028 wrote to memory of 1732 2028 EQNEDT32.EXE vbc.exe PID 1732 wrote to memory of 1224 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1224 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1224 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1224 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe PID 1732 wrote to memory of 1184 1732 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Import and Export Regulation.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
C:\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
C:\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
C:\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
\Users\Public\vbc.exeMD5
0f70263fe10dd4f80b8f55d7ee4c75c6
SHA101774685daf3b29f6ca167fc685df442ffcfcef3
SHA256d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae
SHA5122c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10
-
memory/1184-23-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1184-20-0x0000000000402BCB-mapping.dmp
-
memory/1184-19-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1732-7-0x0000000000000000-mapping.dmp
-
memory/1732-15-0x0000000000540000-0x0000000000548000-memory.dmpFilesize
32KB
-
memory/1732-17-0x0000000045C80000-0x0000000045CC5000-memory.dmpFilesize
276KB
-
memory/1732-14-0x0000000045AE0000-0x0000000045B3E000-memory.dmpFilesize
376KB
-
memory/1732-13-0x0000000025770000-0x0000000045758000-memory.dmpFilesize
511.9MB
-
memory/1732-11-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1732-10-0x000000006C560000-0x000000006CC4E000-memory.dmpFilesize
6.9MB
-
memory/1732-22-0x00000000003E0000-0x0000000000410000-memory.dmpFilesize
192KB
-
memory/1960-2-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmpFilesize
2.5MB