Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 06:52
Static task
static1
Behavioral task
behavioral1
Sample
PO AR483-1590436 _ J-3000 PROJT.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO AR483-1590436 _ J-3000 PROJT.xlsx
Resource
win10v20201028
General
-
Target
PO AR483-1590436 _ J-3000 PROJT.xlsx
-
Size
55KB
-
MD5
245fa98d0fc156ccd21c92b31ec8c5c7
-
SHA1
b5cabd660aafef98fc3fbc987aa1bc4d5884fa17
-
SHA256
a681967d5d91f1def07dcde80d561b9621381760b781c970746673d53e7bfcd7
-
SHA512
b78e1f36524ddb9a76d36ee809150bd8cf0f2a0a3ae747d79046e6cb5a14e863485e0740c2a860b7f40be19b70f2607c0cd9f1a753facf8c41d4c7c2cd22c3b7
Malware Config
Extracted
remcos
4sureme.ddns.net:4902
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 5 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe modiloader_stage1 \Users\Public\vbc.exe modiloader_stage1 \Users\Public\vbc.exe modiloader_stage1 C:\Users\Public\vbc.exe modiloader_stage1 C:\Users\Public\vbc.exe modiloader_stage1 -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 16 364 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1416 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpid process 364 EQNEDT32.EXE 364 EQNEDT32.EXE 364 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvchn = "C:\\Users\\Admin\\nhcvR.url" vbc.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 vbc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vbc.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1648 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEieinstal.exepid process 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1104 WINWORD.EXE 1104 WINWORD.EXE 1804 ieinstal.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 364 wrote to memory of 1416 364 EQNEDT32.EXE vbc.exe PID 364 wrote to memory of 1416 364 EQNEDT32.EXE vbc.exe PID 364 wrote to memory of 1416 364 EQNEDT32.EXE vbc.exe PID 364 wrote to memory of 1416 364 EQNEDT32.EXE vbc.exe PID 1104 wrote to memory of 308 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 308 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 308 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 308 1104 WINWORD.EXE splwow64.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe PID 1416 wrote to memory of 1804 1416 vbc.exe ieinstal.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO AR483-1590436 _ J-3000 PROJT.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4HTQEUG\document[1].docMD5
6d238a412f808d2c4c56865d7f4c4d16
SHA1cf2c952dd7303167d7e666763dcf278088190f52
SHA256a4ab58cc18771c7141e96d45714b7aeb046ff7173ec5266f08da7b28d411744e
SHA512764bc68ac1f55d2b0b717ec8434f22c8bc5baf50cfa517e8d0fbae22f2419332d33f67d5dc41bab415e5e68af9b42c41df8262f25ea105f65c4984e8c5c3fbe8
-
C:\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
C:\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
memory/308-16-0x0000000000000000-mapping.dmp
-
memory/308-18-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/364-10-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB
-
memory/1104-6-0x000000006B241000-0x000000006B244000-memory.dmpFilesize
12KB
-
memory/1416-14-0x0000000000000000-mapping.dmp
-
memory/1416-17-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1648-3-0x0000000071001000-0x0000000071003000-memory.dmpFilesize
8KB
-
memory/1648-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-2-0x000000002FC01000-0x000000002FC04000-memory.dmpFilesize
12KB
-
memory/1804-21-0x0000000000000000-mapping.dmp
-
memory/1804-20-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1804-22-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1804-25-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1804-30-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1804-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1956-5-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB