Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:59
Static task
static1
Behavioral task
behavioral1
Sample
6d238a412f808d2c4c56865d7f4c4d16.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6d238a412f808d2c4c56865d7f4c4d16.rtf
Resource
win10v20201028
General
-
Target
6d238a412f808d2c4c56865d7f4c4d16.rtf
-
Size
11KB
-
MD5
6d238a412f808d2c4c56865d7f4c4d16
-
SHA1
cf2c952dd7303167d7e666763dcf278088190f52
-
SHA256
a4ab58cc18771c7141e96d45714b7aeb046ff7173ec5266f08da7b28d411744e
-
SHA512
764bc68ac1f55d2b0b717ec8434f22c8bc5baf50cfa517e8d0fbae22f2419332d33f67d5dc41bab415e5e68af9b42c41df8262f25ea105f65c4984e8c5c3fbe8
Malware Config
Extracted
remcos
4sureme.ddns.net:4902
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 5 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe modiloader_stage1 \Users\Public\vbc.exe modiloader_stage1 \Users\Public\vbc.exe modiloader_stage1 C:\Users\Public\vbc.exe modiloader_stage1 C:\Users\Public\vbc.exe modiloader_stage1 -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1876 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1168 vbc.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpid process 1876 EQNEDT32.EXE 1876 EQNEDT32.EXE 1876 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvchn = "C:\\Users\\Admin\\nhcvR.url" vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 vbc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vbc.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEieinstal.exepid process 1632 WINWORD.EXE 1632 WINWORD.EXE 1948 ieinstal.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1876 wrote to memory of 1168 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1168 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1168 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1168 1876 EQNEDT32.EXE vbc.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe PID 1168 wrote to memory of 1948 1168 vbc.exe ieinstal.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6d238a412f808d2c4c56865d7f4c4d16.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
C:\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
\Users\Public\vbc.exeMD5
ae8ba034c111e338ffc8cced610e23c7
SHA1edfd786403ebea26e612b0240b1ce980f170f245
SHA2566cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
SHA512bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
-
memory/1168-12-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1168-10-0x0000000000000000-mapping.dmp
-
memory/1632-3-0x0000000070741000-0x0000000070743000-memory.dmpFilesize
8KB
-
memory/1632-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-2-0x0000000072CC1000-0x0000000072CC4000-memory.dmpFilesize
12KB
-
memory/1788-6-0x000007FEF6840000-0x000007FEF6ABA000-memory.dmpFilesize
2.5MB
-
memory/1876-5-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1948-15-0x0000000000000000-mapping.dmp
-
memory/1948-16-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1948-14-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1948-18-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1948-24-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1948-25-0x0000000000250000-0x0000000000271000-memory.dmpFilesize
132KB