Analysis
-
max time kernel
151s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
2020_SOA_Payment_21Dec2020.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2020_SOA_Payment_21Dec2020.xlsx
Resource
win10v20201028
General
-
Target
2020_SOA_Payment_21Dec2020.xlsx
-
Size
2.4MB
-
MD5
2cdc1a820d72b36d6d4ed94c8ca9d68f
-
SHA1
6defcb2d984e3bc2b5cea266e1d6a009646d6831
-
SHA256
85d4c229751f2a80c801186ff3494ac4f18fc8ef88d4a81a808f2bcd81fd3a87
-
SHA512
67f6353af1f30f205b21c3a22bb90639d215a9d90856052c6225d1f66c81bf14a20ec8cf667bb2fdf6d851f4c4459da2ca4cfb5af6d9647f7ae438b74dcfdeaf
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1904 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1444 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1904 EQNEDT32.EXE 1904 EQNEDT32.EXE 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1324 1444 WerFault.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1432 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1444 vbc.exe Token: SeDebugPrivilege 1324 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1904 wrote to memory of 1444 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 1444 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 1444 1904 EQNEDT32.EXE vbc.exe PID 1904 wrote to memory of 1444 1904 EQNEDT32.EXE vbc.exe PID 1444 wrote to memory of 1324 1444 vbc.exe WerFault.exe PID 1444 wrote to memory of 1324 1444 vbc.exe WerFault.exe PID 1444 wrote to memory of 1324 1444 vbc.exe WerFault.exe PID 1444 wrote to memory of 1324 1444 vbc.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2020_SOA_Payment_21Dec2020.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 9283⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
C:\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
\Users\Public\vbc.exeMD5
f6132f0e9aa1c53e08299d301c6fd4cb
SHA1f40cee7c21c9e83b31e66012cafc4f97a00fb536
SHA256536111d26c4a36d6712b2ddb77c7afd90299077596450a5a8eb686d1023e8d02
SHA512ac10f75b8458465d6c7e23feba1192f195d5bdb925143b74dbe417adc647c472ca8394682d84d2f357fba735aafe78bc0505fac9453394401aaae6bef72fd32b
-
memory/1324-18-0x0000000000A00000-0x0000000000A11000-memory.dmpFilesize
68KB
-
memory/1324-17-0x0000000000000000-mapping.dmp
-
memory/1324-22-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1432-2-0x000000002F711000-0x000000002F714000-memory.dmpFilesize
12KB
-
memory/1432-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1432-3-0x00000000713C1000-0x00000000713C3000-memory.dmpFilesize
8KB
-
memory/1444-9-0x0000000000000000-mapping.dmp
-
memory/1444-12-0x000000006C4B0000-0x000000006CB9E000-memory.dmpFilesize
6.9MB
-
memory/1444-13-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1444-15-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1444-16-0x0000000000680000-0x00000000006A5000-memory.dmpFilesize
148KB
-
memory/1812-6-0x000007FEF74A0000-0x000007FEF771A000-memory.dmpFilesize
2.5MB
-
memory/1904-5-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB