Analysis
-
max time kernel
71s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 22:09
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc
-
Size
68KB
-
MD5
40f29a4e81362d9a05688a5eb279bcd6
-
SHA1
98bacf0e21570110c64672dd8f666f6490f28faa
-
SHA256
a6d83d134a7fdc7dafdddfdb8b5f0e8a41d3396d02915fb0beef7f2d3a7025bc
-
SHA512
93a19ad096579089fdcb87463acbbaf8711a4a44ab9f5fc5be3476ff92a59adc7e2b4b9a72cfce5d58499902bf418c72028235f33cd5db7c9ea026ffb04673e5
Malware Config
Extracted
metasploit
windows/download_exec
http://remote.viowi.org:443/thumb/preview.gif
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSBuild.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1292 336 MSBuild.exe WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 336 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 336 WINWORD.EXE 336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEMSBuild.execsc.exedescription pid process target process PID 336 wrote to memory of 1292 336 WINWORD.EXE MSBuild.exe PID 336 wrote to memory of 1292 336 WINWORD.EXE MSBuild.exe PID 336 wrote to memory of 1292 336 WINWORD.EXE MSBuild.exe PID 336 wrote to memory of 1292 336 WINWORD.EXE MSBuild.exe PID 1292 wrote to memory of 1620 1292 MSBuild.exe csc.exe PID 1292 wrote to memory of 1620 1292 MSBuild.exe csc.exe PID 1292 wrote to memory of 1620 1292 MSBuild.exe csc.exe PID 1292 wrote to memory of 1620 1292 MSBuild.exe csc.exe PID 1620 wrote to memory of 860 1620 csc.exe cvtres.exe PID 1620 wrote to memory of 860 1620 csc.exe cvtres.exe PID 1620 wrote to memory of 860 1620 csc.exe cvtres.exe PID 1620 wrote to memory of 860 1620 csc.exe cvtres.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E6A.tmp" "c:\Users\Admin\AppData\Local\Temp\lhkj0zys\CSC77845121CA6D47B881754EB37627D4C9.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8E6A.tmpMD5
726fdd3d9ba67c7884b5a88cad258d22
SHA18e0b89687c4753d7ddd1ba1312934ce555dfdc01
SHA2565f4f577afeeaad05407bdecd931f06de81ac8c64a59168d443c33c9e298e2e76
SHA5122dc64c38d5e850b0458fe2f6511bd96ada2e65aea827d624f0a8337ceb74691060ca155446e9ea2f986cff7e1e788a2ceb41bb418d3c7113bacf6b8dcd8f2d76
-
C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.dllMD5
237e08b1cb5091f9529c112dbb63b92b
SHA19290313fa5ddbc39f6e7e96b5cf31971960b62b7
SHA256d364c6417fdbf6d19180dd5d7825ded2c7040c944f05761c9bfc48e07351823a
SHA512c9a251240a58deba450661b5709a113aacf9f6eb2327cae5703f6445df2821f79fe937c60bd0be649d8b3150052cee1143f640fae443593f04c6e32f81829c53
-
C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.pdbMD5
1fee2767d2656fb605eb15b4c4284bb8
SHA1aa9a9537aa83bbccef64eec06e6391b6425866dd
SHA256ed3a17f6ad3867356cec4e372ad0ec256d166ae846edd742e16116a071e61af6
SHA51287ab160d67af2edf20511a92a66a469516d3a1439a7442275846ec86f2eccc604b999622c465da23187c12ba2ffb27ee49285c2119ace481640bde617c377299
-
C:\Users\Admin\Documents\template.xmlMD5
33d91e9ab32c8b1659666360438894ad
SHA10506714e2cf930423357e69df81fa9d3de10dd34
SHA2563b1eff572645ccf2488b6afb6a0a0abb6fa37c019b7c7b382267594075783128
SHA512ad6a2f642f27cf27ef6ec4c75cc32f5f5115d01e9b63a92bccd700cb84d4c6bf42d04f2940f1a28bce90e4a2c4952c1b9d6d2e71e6a00a0f7a1d751265281534
-
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\CSC77845121CA6D47B881754EB37627D4C9.TMPMD5
f4e714fc99780c47529b58d71bcb14a3
SHA15950d8af4788bb116d8bdd8d8115159a424bd7e7
SHA256c5a57b973bb686bed8a0606b94370bad096afbc00864af36c0adfb6696633f02
SHA5128173370d2a8c07819ce47e933de2a06fbc7ac270f950e0898b441a8848aad2e8a67f636aef30972e2d4a9cd4eec964262842f7db0056b21da8e98c028b2f7878
-
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.0.csMD5
194f7a38a0bfd4157d16502917f7cad1
SHA19bb6d112728c33a1009fc12837ceebf48d70ff55
SHA256cf186081fc91ef5c08335e52a41111ef846723e1159be7e1be61fb8d21f1fc11
SHA512afc993508a2c94a221e9ead9d3417db8ad90c15635f05c744ce1d2c6e1545faed7bc5318e1bf447bc1637832d09c19b9ca926e1a3f28fb8d5be1288610d56fb9
-
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.cmdlineMD5
e710398bfd8589661b1705dc3b0020ef
SHA1e7300096985def141ab36b4bf5a3c58b93d4732c
SHA25635b477386e208c44b8c14012bc553110c8aa030f3b41a97e166b355e4e93dca1
SHA5128a245cad19ed5a47f7e32292d1333351379983ed14bfd953e450285b42fbf859dd4d37ef4f9d81da71feeb9d582f23ed9641c32d64fcb99e22a6fee10b881e9c
-
memory/336-2-0x00000000720E1000-0x00000000720E4000-memory.dmpFilesize
12KB
-
memory/336-25-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/336-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/336-3-0x000000006FB61000-0x000000006FB63000-memory.dmpFilesize
8KB
-
memory/596-27-0x000007FEF6EA0000-0x000007FEF711A000-memory.dmpFilesize
2.5MB
-
memory/860-19-0x0000000000000000-mapping.dmp
-
memory/1292-8-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/1292-15-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/1292-14-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/1292-13-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1292-12-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1292-11-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/1292-10-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/1292-7-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1292-24-0x00000000004E0000-0x00000000004E2000-memory.dmpFilesize
8KB
-
memory/1292-6-0x000000006A8B0000-0x000000006AF9E000-memory.dmpFilesize
6.9MB
-
memory/1292-26-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1292-5-0x0000000000000000-mapping.dmp
-
memory/1620-16-0x0000000000000000-mapping.dmp