Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-03-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
SWIFTCOPY_110255293303484_SANTANDER.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SWIFTCOPY_110255293303484_SANTANDER.doc
Resource
win10v20201028
General
-
Target
SWIFTCOPY_110255293303484_SANTANDER.doc
-
Size
1.6MB
-
MD5
2669b367e19d303277d90e1df00141d6
-
SHA1
e1acf19515cc4ce7cd4946226510a4b63a20571c
-
SHA256
0ceab68641ca19a5f55d30cfc6f0e714c62cbec56683dd723704b890e9863983
-
SHA512
a7c4fa232f8c6b70eeaab34b184a737e317340ecd69ce099e147151c90987d7fe57899ddfab96efaf8b96b6a716e75d841bc68b0541ea6587772ca07cf149008
Malware Config
Extracted
remcos
official.myq-see.com:2310
official.ydns.eu:2310
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1740 EQNEDT32.EXE 7 1740 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
69577.exepid process 572 69577.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1740 EQNEDT32.EXE 1740 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
69577.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nsrgar = "C:\\Users\\Public\\Libraries\\ragrsN.url" 69577.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1636 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEieinstal.exepid process 1636 WINWORD.EXE 1636 WINWORD.EXE 1300 ieinstal.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exedescription pid process target process PID 1636 wrote to memory of 1952 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1952 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1952 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1952 1636 WINWORD.EXE splwow64.exe PID 1740 wrote to memory of 572 1740 EQNEDT32.EXE 69577.exe PID 1740 wrote to memory of 572 1740 EQNEDT32.EXE 69577.exe PID 1740 wrote to memory of 572 1740 EQNEDT32.EXE 69577.exe PID 1740 wrote to memory of 572 1740 EQNEDT32.EXE 69577.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe PID 572 wrote to memory of 1300 572 69577.exe ieinstal.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFTCOPY_110255293303484_SANTANDER.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\69577.exeMD5
d5852dca87eaa4df0cf21616a30be33b
SHA1895f766ba9cf537ba5446e5482046e88fe4a7e10
SHA256fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
SHA5122b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da
-
C:\Users\Public\69577.exeMD5
d5852dca87eaa4df0cf21616a30be33b
SHA1895f766ba9cf537ba5446e5482046e88fe4a7e10
SHA256fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
SHA5122b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da
-
\Users\Public\69577.exeMD5
d5852dca87eaa4df0cf21616a30be33b
SHA1895f766ba9cf537ba5446e5482046e88fe4a7e10
SHA256fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
SHA5122b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da
-
\Users\Public\69577.exeMD5
d5852dca87eaa4df0cf21616a30be33b
SHA1895f766ba9cf537ba5446e5482046e88fe4a7e10
SHA256fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
SHA5122b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da
-
memory/572-11-0x0000000000000000-mapping.dmp
-
memory/572-14-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1300-18-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1300-17-0x0000000000000000-mapping.dmp
-
memory/1300-16-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1300-20-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1300-26-0x0000000010590000-0x000000001060B000-memory.dmpFilesize
492KB
-
memory/1300-27-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1516-8-0x000007FEF77E0000-0x000007FEF7A5A000-memory.dmpFilesize
2.5MB
-
memory/1636-2-0x0000000072821000-0x0000000072824000-memory.dmpFilesize
12KB
-
memory/1636-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-3-0x00000000702A1000-0x00000000702A3000-memory.dmpFilesize
8KB
-
memory/1740-7-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1952-6-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmpFilesize
8KB
-
memory/1952-5-0x0000000000000000-mapping.dmp