f248734ac37efc2acdef5a28ed576e47ac294a99183173fab722bb45a65ddc6e

Analysis

max time kernel
69s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SwiftRef_INV0880021122020.xlsx
Size

2.1MB
MD5

718d82225f395451cdb526415d0c731d
SHA1

1b5f38031a9c79b619ca55da7acfcea8f777b68b
SHA256

f248734ac37efc2acdef5a28ed576e47ac294a99183173fab722bb45a65ddc6e
SHA512

46b72ea1fd547910fa6c3643cfaf3d918427eb9218157212f0b203730fc6c08beb340e02bb6daabfdb06ac9414891dfdeeca28dc0ca4c72d451b2f979fd7382c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1956 EQNEDT32.EXE
Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1496 vbc.exe
2040 vbc.exe
1300 vbc.exe
1924 vbc.exe
1592 vbc.exe
1684 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1956 EQNEDT32.EXE
1956 EQNEDT32.EXE
1956 EQNEDT32.EXE
1956 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1956 EQNEDT32.EXE

flow	pid	process
6	1956	EQNEDT32.EXE

pid	process
1496	vbc.exe
2040	vbc.exe
1300	vbc.exe
1924	vbc.exe
1592	vbc.exe
1684	vbc.exe

pid	process
1956	EQNEDT32.EXE
1956	EQNEDT32.EXE
1956	EQNEDT32.EXE
1956	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1956	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1824 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
1496 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1496 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1824 EXCEL.EXE
1824 EXCEL.EXE
1824 EXCEL.EXE

pid	process
1824	EXCEL.EXE

pid	process
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe
1496	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1496	vbc.exe

pid	process
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1956 wrote to memory of 1496	1956	EQNEDT32.EXE	vbc.exe
PID 1956 wrote to memory of 1496	1956	EQNEDT32.EXE	vbc.exe
PID 1956 wrote to memory of 1496	1956	EQNEDT32.EXE	vbc.exe
PID 1956 wrote to memory of 1496	1956	EQNEDT32.EXE	vbc.exe
PID 1496 wrote to memory of 2040	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 2040	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 2040	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 2040	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1300	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1300	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1300	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1300	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1924	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1924	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1924	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1924	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1592	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1592	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1592	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1592	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1684	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1684	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1684	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 1684	1496	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SwiftRef_INV0880021122020.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2040

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1300

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1924

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1592

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
C:\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
\Users\Public\vbc.exe
MD5
7c0158f3cf2b6d843226e3a1a86cc11f

SHA1
15667c2460d0f3d9908daf6c1d6f24b04225cc35

SHA256
092079f16dc67cf3ebe88fbe156ebf31218cf741e3433b77a45a355b63ace9eb

SHA512
c25b94bba7b6d964ee48f1c06ce7a84330182427cc52e12e0f9dd1da1653491e916d26ff5f914cda507573753cf782f507a5111666d904d33f2a7dec64f988a9

Download Submit
memory/1496-14-0x0000000004BA0000-0x0000000004BF8000-memory.dmp

Filesize
352KB

Download
memory/1496-13-0x0000000001DC0000-0x0000000001DD2000-memory.dmp

Filesize
72KB

Download
memory/1496-11-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1496-10-0x000000006B7D0000-0x000000006BEBE000-memory.dmp

Filesize
6.9MB

Download
memory/1496-7-0x0000000000000000-mapping.dmp

Download
memory/1672-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmp

Filesize
2.5MB

Download