Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 08:54
Static task
static1
Behavioral task
behavioral1
Sample
document_v152120.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
document_v152120.doc.rtf
Resource
win10v20201028
General
-
Target
document_v152120.doc.rtf
-
Size
12KB
-
MD5
3c9b171aa4191384845ffc13021f3a7f
-
SHA1
0acd262c9aad61b328b4d37a3460ba41630ef3a0
-
SHA256
140ee2b8d6fba55259d70bab833fbae1924c7426bb8ddc79aaa5088435281872
-
SHA512
62bd151a6e9520133a6e1257f06ebe8bfcd0da71f7665a402b9d136c48c561f3b17eaae462cc709845c503de89d208d735caacb7e5df234ad2397900d7de89cc
Malware Config
Extracted
remcos
moneyds.ddns.net:6332
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1880 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1160 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1880 EQNEDT32.EXE 1880 EQNEDT32.EXE 1880 EQNEDT32.EXE 1880 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vzuer = "C:\\Users\\Public\\Libraries\\reuzV.url" vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ieinstal.exepid process 600 ieinstal.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEieinstal.exepid process 1632 WINWORD.EXE 1632 WINWORD.EXE 600 ieinstal.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1880 wrote to memory of 1160 1880 EQNEDT32.EXE vbc.exe PID 1880 wrote to memory of 1160 1880 EQNEDT32.EXE vbc.exe PID 1880 wrote to memory of 1160 1880 EQNEDT32.EXE vbc.exe PID 1880 wrote to memory of 1160 1880 EQNEDT32.EXE vbc.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe PID 1160 wrote to memory of 600 1160 vbc.exe ieinstal.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document_v152120.doc.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
C:\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
\Users\Public\vbc.exeMD5
94423788a47cedbe5b46a2b89b5b9752
SHA171608fbb6afbfcf32539aa5904648ee1649dae18
SHA2563bcf899b778064f54dd03e61ad7f645386e8b8036ecae968cc33590ea89516be
SHA512291befa1bdcf49517854b9891c98e0bed663d3a7cf7ffd9aabf4225c466963b6d9fc6ddafc4bed34bc7946fb49545a9c1e8499ed785f0ec666675f713b156cfd
-
memory/600-17-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/600-19-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/600-26-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/600-25-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/600-15-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/600-16-0x0000000000000000-mapping.dmp
-
memory/1160-13-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1160-11-0x0000000000000000-mapping.dmp
-
memory/1632-3-0x0000000070741000-0x0000000070743000-memory.dmpFilesize
8KB
-
memory/1632-2-0x0000000072CC1000-0x0000000072CC4000-memory.dmpFilesize
12KB
-
memory/1632-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-27-0x0000000001D80000-0x0000000001D81000-memory.dmpFilesize
4KB
-
memory/1632-29-0x0000000001D80000-0x0000000001D81000-memory.dmpFilesize
4KB
-
memory/1632-30-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1788-6-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB
-
memory/1880-5-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB