Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 08:25
Static task
static1
Behavioral task
behavioral1
Sample
Order_385647584.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order_385647584.xlsx
Resource
win10v20201028
General
-
Target
Order_385647584.xlsx
-
Size
1.5MB
-
MD5
d040c427703e2a2183f67742c2a5af54
-
SHA1
e88e65daa49e1dac16bd0b727943758c47057284
-
SHA256
0ac1a7ed74f413e6d39a5235038f3c2dea7956f455f37aac5e2a5770cf364690
-
SHA512
62432ed70b468c3044a635fd10e62bd2925e2967c487a7c3d067fcca065cffc43d7770ffe5b652740b7ee244f440e8934ee5f93b07cd263dc8150adce0b55b4f
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 880 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 572 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 880 EQNEDT32.EXE 880 EQNEDT32.EXE 880 EQNEDT32.EXE 880 EQNEDT32.EXE 880 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EQNEDT32.EXEdescription pid process target process PID 880 wrote to memory of 572 880 EQNEDT32.EXE vbc.exe PID 880 wrote to memory of 572 880 EQNEDT32.EXE vbc.exe PID 880 wrote to memory of 572 880 EQNEDT32.EXE vbc.exe PID 880 wrote to memory of 572 880 EQNEDT32.EXE vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order_385647584.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:784
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
PID:572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2
-
MD5
a9aadbd4208e20a12d45f65183ba6287
SHA11086fb9078565f9606a27833b9beb41c8abbc01c
SHA25675883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a
SHA51225bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2