Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:22
Static task
static1
Behavioral task
behavioral1
Sample
purchase request sheet.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
purchase request sheet.doc
Resource
win10v20201028
General
-
Target
purchase request sheet.doc
-
Size
1.2MB
-
MD5
093ec9c7c51b43649d0658da435fc7f2
-
SHA1
7a5b7eb7a46f25a0354e479bbe726565672e9ff3
-
SHA256
5c755513f6bb355adb6e71b9970361b71191b987dbfa53a1fa4b79651b75fe15
-
SHA512
3b55ae6e59bcd28ce04d753f4b800a80fcde5e2560d59936d57925a6e84eebfd4c2f926b924e4e9bc2df3297e69bcb1a5dc5924af251795cc3280be74b4dc9ff
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1112 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
cax8343.execax8343.exepid process 476 cax8343.exe 1892 cax8343.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1112 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cax8343.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpjI = "C:\\Users\\Admin\\AppData\\Local\\cpjI.url" cax8343.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cax8343.exedescription pid process target process PID 476 set thread context of 1892 476 cax8343.exe cax8343.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Processes:
cax8343.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cax8343.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cax8343.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cax8343.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cax8343.exepid process 1892 cax8343.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cax8343.exedescription pid process Token: SeDebugPrivilege 1892 cax8343.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EQNEDT32.EXEcax8343.exedescription pid process target process PID 1112 wrote to memory of 476 1112 EQNEDT32.EXE cax8343.exe PID 1112 wrote to memory of 476 1112 EQNEDT32.EXE cax8343.exe PID 1112 wrote to memory of 476 1112 EQNEDT32.EXE cax8343.exe PID 1112 wrote to memory of 476 1112 EQNEDT32.EXE cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe PID 476 wrote to memory of 1892 476 cax8343.exe cax8343.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\purchase request sheet.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cax8343.exe"C:\Users\Admin\AppData\Roaming\cax8343.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cax8343.exe"C:\Users\Admin\AppData\Roaming\cax8343.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cax8343.exeMD5
a88c0408e7888f549e40940279758fa6
SHA138a44dbf2b47e758a6ed4c68362ac40cf9b5ef5c
SHA256b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
SHA5125536b0ad743417f0984e26646fe1c1294ca8acebbc08f9c5a03f75df3479b7168eef509a3574cf88efc33d15c15f2a8420c738d60ac1bb40e8f6a94b7bb2c4a9
-
C:\Users\Admin\AppData\Roaming\cax8343.exeMD5
a88c0408e7888f549e40940279758fa6
SHA138a44dbf2b47e758a6ed4c68362ac40cf9b5ef5c
SHA256b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
SHA5125536b0ad743417f0984e26646fe1c1294ca8acebbc08f9c5a03f75df3479b7168eef509a3574cf88efc33d15c15f2a8420c738d60ac1bb40e8f6a94b7bb2c4a9
-
C:\Users\Admin\AppData\Roaming\cax8343.exeMD5
a88c0408e7888f549e40940279758fa6
SHA138a44dbf2b47e758a6ed4c68362ac40cf9b5ef5c
SHA256b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
SHA5125536b0ad743417f0984e26646fe1c1294ca8acebbc08f9c5a03f75df3479b7168eef509a3574cf88efc33d15c15f2a8420c738d60ac1bb40e8f6a94b7bb2c4a9
-
\Users\Admin\AppData\Roaming\cax8343.exeMD5
a88c0408e7888f549e40940279758fa6
SHA138a44dbf2b47e758a6ed4c68362ac40cf9b5ef5c
SHA256b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
SHA5125536b0ad743417f0984e26646fe1c1294ca8acebbc08f9c5a03f75df3479b7168eef509a3574cf88efc33d15c15f2a8420c738d60ac1bb40e8f6a94b7bb2c4a9
-
memory/476-5-0x0000000000000000-mapping.dmp
-
memory/476-7-0x0000000001ED0000-0x0000000001EE3000-memory.dmpFilesize
76KB
-
memory/476-9-0x0000000004400000-0x0000000004479000-memory.dmpFilesize
484KB
-
memory/1796-3-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/1892-12-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1892-15-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1892-13-0x000000000040CD2F-mapping.dmp
-
memory/1892-16-0x0000000002060000-0x0000000002071000-memory.dmpFilesize
68KB
-
memory/1892-17-0x000000006AD00000-0x000000006B3EE000-memory.dmpFilesize
6.9MB
-
memory/1892-18-0x0000000002060000-0x00000000020AD000-memory.dmpFilesize
308KB
-
memory/1892-24-0x00000000020B0000-0x00000000020FC000-memory.dmpFilesize
304KB
-
memory/2024-2-0x0000000004110000-0x0000000004114000-memory.dmpFilesize
16KB