Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 08:25

General

  • Target

    Order_385647584.xlsx

  • Size

    1.5MB

  • MD5

    d040c427703e2a2183f67742c2a5af54

  • SHA1

    e88e65daa49e1dac16bd0b727943758c47057284

  • SHA256

    0ac1a7ed74f413e6d39a5235038f3c2dea7956f455f37aac5e2a5770cf364690

  • SHA512

    62432ed70b468c3044a635fd10e62bd2925e2967c487a7c3d067fcca065cffc43d7770ffe5b652740b7ee244f440e8934ee5f93b07cd263dc8150adce0b55b4f

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order_385647584.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:784
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      PID:572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • C:\Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • \Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • \Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • \Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • \Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • \Users\Public\vbc.exe

    MD5

    a9aadbd4208e20a12d45f65183ba6287

    SHA1

    1086fb9078565f9606a27833b9beb41c8abbc01c

    SHA256

    75883e51d64d24812b56da68bc0d2747060a7d50005b92c0a76b808ba76c511a

    SHA512

    25bc677b309fbae476e030ed5ec7f0136a91c87ce420197664181e97f0e214172c781c0a6918b0cc81d00e10d78964123457329f3d80f3a8504f7065757b86f2

  • memory/572-8-0x0000000000000000-mapping.dmp

  • memory/572-11-0x0000000000300000-0x000000000031A000-memory.dmp

    Filesize

    104KB

  • memory/1848-2-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp

    Filesize

    2.5MB