Analysis
-
max time kernel
76s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-12-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
New-Order December-15th.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New-Order December-15th.xlsx
Resource
win10v20201028
General
-
Target
New-Order December-15th.xlsx
-
Size
2.3MB
-
MD5
e03ed5e77e5800540f0448a8318eaf34
-
SHA1
56af39d425961607df89dabb30480038828701c0
-
SHA256
3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7
-
SHA512
4d26a232dd177a2670fc4272823d7de3feb30e06d9970b331c02e1b299df5dca7811e4ccae707cb4b5018d8b08af70ca2b265fe1fde5a0650ebb9e54ae01eb76
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/932-18-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/932-19-0x0000000000402BCB-mapping.dmp netwire behavioral1/memory/932-21-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 2044 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 776 vbc.exe 932 vbc.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Public\\vbc.exe" vbc.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum vbc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 776 set thread context of 932 776 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1208 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 776 vbc.exe 776 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 776 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1208 EXCEL.EXE 1208 EXCEL.EXE 1208 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 2044 wrote to memory of 776 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 776 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 776 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 776 2044 EQNEDT32.EXE vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe PID 776 wrote to memory of 932 776 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New-Order December-15th.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
C:\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
C:\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
\Users\Public\vbc.exeMD5
d543a59ba12985acaf4134c3ff427b86
SHA1626f4d2877429d63586bc0ccfdf313911b6817c8
SHA25645758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA51280bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
-
memory/268-2-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmpFilesize
2.5MB
-
memory/776-10-0x000000006BEB0000-0x000000006C59E000-memory.dmpFilesize
6.9MB
-
memory/776-11-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/776-13-0x0000000028300000-0x00000000482E8000-memory.dmpFilesize
511.9MB
-
memory/776-14-0x0000000001F50000-0x0000000001F99000-memory.dmpFilesize
292KB
-
memory/776-15-0x00000000007A0000-0x00000000007A8000-memory.dmpFilesize
32KB
-
memory/776-17-0x0000000002150000-0x000000000217C000-memory.dmpFilesize
176KB
-
memory/776-7-0x0000000000000000-mapping.dmp
-
memory/932-18-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/932-19-0x0000000000402BCB-mapping.dmp
-
memory/932-21-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB