Analysis
-
max time kernel
69s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:28
Static task
static1
Behavioral task
behavioral1
Sample
SwiftRef_INV0880021122020.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SwiftRef_INV0880021122020.xlsx
Resource
win10v20201028
General
-
Target
SwiftRef_INV0880021122020.xlsx
-
Size
2.1MB
-
MD5
718d82225f395451cdb526415d0c731d
-
SHA1
1b5f38031a9c79b619ca55da7acfcea8f777b68b
-
SHA256
f248734ac37efc2acdef5a28ed576e47ac294a99183173fab722bb45a65ddc6e
-
SHA512
46b72ea1fd547910fa6c3643cfaf3d918427eb9218157212f0b203730fc6c08beb340e02bb6daabfdb06ac9414891dfdeeca28dc0ca4c72d451b2f979fd7382c
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1956 EQNEDT32.EXE -
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 1496 vbc.exe 2040 vbc.exe 1300 vbc.exe 1924 vbc.exe 1592 vbc.exe 1684 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1956 EQNEDT32.EXE 1956 EQNEDT32.EXE 1956 EQNEDT32.EXE 1956 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exepid process 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1496 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1956 wrote to memory of 1496 1956 EQNEDT32.EXE vbc.exe PID 1956 wrote to memory of 1496 1956 EQNEDT32.EXE vbc.exe PID 1956 wrote to memory of 1496 1956 EQNEDT32.EXE vbc.exe PID 1956 wrote to memory of 1496 1956 EQNEDT32.EXE vbc.exe PID 1496 wrote to memory of 2040 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 2040 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 2040 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 2040 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1300 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1300 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1300 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1300 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1924 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1924 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1924 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1924 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1592 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1592 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1592 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1592 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1684 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1684 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1684 1496 vbc.exe vbc.exe PID 1496 wrote to memory of 1684 1496 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SwiftRef_INV0880021122020.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
C:\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
\Users\Public\vbc.exeMD5
7c0158f3cf2b6d843226e3a1a86cc11f
SHA115667c2460d0f3d9908daf6c1d6f24b04225cc35
SHA256092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb
SHA512c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9
-
memory/1496-14-0x0000000004BA0000-0x0000000004BF8000-memory.dmpFilesize
352KB
-
memory/1496-13-0x0000000001DC0000-0x0000000001DD2000-memory.dmpFilesize
72KB
-
memory/1496-11-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1496-10-0x000000006B7D0000-0x000000006BEBE000-memory.dmpFilesize
6.9MB
-
memory/1496-7-0x0000000000000000-mapping.dmp
-
memory/1672-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB