Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping doc & Shipment tracking details.docx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL Shipping doc & Shipment tracking details.docx
Resource
win10v20201028
General
-
Target
DHL Shipping doc & Shipment tracking details.docx
-
Size
10KB
-
MD5
30909a9932c77fb923a96b1b090b4806
-
SHA1
2bbe988290a47de63763796db6a39de0e268a5cf
-
SHA256
23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
-
SHA512
3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836
Malware Config
Extracted
xloader
2.3
http://www.scott-re.online/nnmd/
bongwater.life
regalparkllc.com
gyanankuram.com
quehaydecenarhoy.com
israeldigitalblog.net
gatewaygaurdians.com
krphp.com
domentemenegi47.com
fjsibao.com
yetbor.com
goldenvalueable.com
finalexam-thegame.com
buyeverythingforbaby.com
phillydroneservices.com
xn--kck4cd0r.net
suns-brothers.com
xn--80aaxkmix.xn--p1acf
pjsgsc.com
7985699.com
blackmantech.fitness
acernoxsas.com
verochfotografa.com
az-pcp.com
clonegrandma.com
elpis-catering.com
gujaratmba.com
samanthataylordesigns.com
sinisviaggi.com
likehowto.com
ueoxx.com
americanscreentest.com
taniakarina.com
nevomo.group
syduit.com
elticrecruit.com
xn--v1bmo9dufsb.com
valid8.network
vt999app.net
privateselights.com
xpddwrfj.icu
mex33.info
ekolucky.com
v6b9.com
winnijermaynezigmund.site
papofabri.com
ranguanglian.club
vinegret.com
sorelaxedmassage.com
vr-club.site
raison-sociale.com
partapprintercare.com
dream-e-mail.com
cwcellar.com
vegrebel.com
my-weight-loss-blog.net
hcr.services
topmejoresproductos.com
foodates.com
l2zmamzoin.xyz
nevertraveled.com
ikoyisland.net
lawsoftwareteam.com
ufa2345.com
thechilldrengang.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/672-71-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/672-72-0x000000000041CF90-mapping.dmp xloader behavioral1/memory/1256-74-0x0000000000220000-0x000000000024A000-memory.dmp xloader behavioral1/memory/1356-83-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 700 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1256 vbc.exe 672 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Office\Common\Offline\Files\http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/...................................................................... WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 700 EQNEDT32.EXE 700 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execolorcpl.exedescription pid process target process PID 1256 set thread context of 672 1256 vbc.exe vbc.exe PID 672 set thread context of 1244 672 vbc.exe Explorer.EXE PID 1356 set thread context of 1244 1356 colorcpl.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1336 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.execolorcpl.exepid process 672 vbc.exe 672 vbc.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe 1356 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execolorcpl.exepid process 672 vbc.exe 672 vbc.exe 672 vbc.exe 1356 colorcpl.exe 1356 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
vbc.exeExplorer.EXEcolorcpl.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 672 vbc.exe Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeDebugPrivilege 1356 colorcpl.exe Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1336 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1336 WINWORD.EXE 1336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 700 wrote to memory of 1256 700 EQNEDT32.EXE vbc.exe PID 700 wrote to memory of 1256 700 EQNEDT32.EXE vbc.exe PID 700 wrote to memory of 1256 700 EQNEDT32.EXE vbc.exe PID 700 wrote to memory of 1256 700 EQNEDT32.EXE vbc.exe PID 1336 wrote to memory of 1880 1336 WINWORD.EXE splwow64.exe PID 1336 wrote to memory of 1880 1336 WINWORD.EXE splwow64.exe PID 1336 wrote to memory of 1880 1336 WINWORD.EXE splwow64.exe PID 1336 wrote to memory of 1880 1336 WINWORD.EXE splwow64.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1256 wrote to memory of 672 1256 vbc.exe vbc.exe PID 1244 wrote to memory of 1356 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1356 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1356 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1356 1244 Explorer.EXE colorcpl.exe PID 1356 wrote to memory of 944 1356 colorcpl.exe cmd.exe PID 1356 wrote to memory of 944 1356 colorcpl.exe cmd.exe PID 1356 wrote to memory of 944 1356 colorcpl.exe cmd.exe PID 1356 wrote to memory of 944 1356 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DHL Shipping doc & Shipment tracking details.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
29e8627d7b80c21fc98c82314f3df5e2
SHA122817310a3108ced7ec26488e1e2d3d2f8c32018
SHA25698bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
SHA51267da772472fea7587503c674cc7695d24d6a9b777fd3fb41090058730f65bdf55c7f5cf619ef8a6c2ebb0f03a5ff4ddd81a5846a40d307c711d9b71f72f20525
-
C:\Users\Public\vbc.exeMD5
29e8627d7b80c21fc98c82314f3df5e2
SHA122817310a3108ced7ec26488e1e2d3d2f8c32018
SHA25698bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
SHA51267da772472fea7587503c674cc7695d24d6a9b777fd3fb41090058730f65bdf55c7f5cf619ef8a6c2ebb0f03a5ff4ddd81a5846a40d307c711d9b71f72f20525
-
C:\Users\Public\vbc.exeMD5
29e8627d7b80c21fc98c82314f3df5e2
SHA122817310a3108ced7ec26488e1e2d3d2f8c32018
SHA25698bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
SHA51267da772472fea7587503c674cc7695d24d6a9b777fd3fb41090058730f65bdf55c7f5cf619ef8a6c2ebb0f03a5ff4ddd81a5846a40d307c711d9b71f72f20525
-
\Users\Public\vbc.exeMD5
29e8627d7b80c21fc98c82314f3df5e2
SHA122817310a3108ced7ec26488e1e2d3d2f8c32018
SHA25698bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
SHA51267da772472fea7587503c674cc7695d24d6a9b777fd3fb41090058730f65bdf55c7f5cf619ef8a6c2ebb0f03a5ff4ddd81a5846a40d307c711d9b71f72f20525
-
\Users\Public\vbc.exeMD5
29e8627d7b80c21fc98c82314f3df5e2
SHA122817310a3108ced7ec26488e1e2d3d2f8c32018
SHA25698bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
SHA51267da772472fea7587503c674cc7695d24d6a9b777fd3fb41090058730f65bdf55c7f5cf619ef8a6c2ebb0f03a5ff4ddd81a5846a40d307c711d9b71f72f20525
-
memory/672-76-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/672-77-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/672-71-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/672-72-0x000000000041CF90-mapping.dmp
-
memory/700-63-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/944-81-0x0000000000000000-mapping.dmp
-
memory/1244-78-0x0000000006A80000-0x0000000006BF2000-memory.dmpFilesize
1.4MB
-
memory/1244-86-0x0000000006C00000-0x0000000006D0D000-memory.dmpFilesize
1.1MB
-
memory/1256-66-0x0000000000000000-mapping.dmp
-
memory/1256-74-0x0000000000220000-0x000000000024A000-memory.dmpFilesize
168KB
-
memory/1336-60-0x00000000721D1000-0x00000000721D4000-memory.dmpFilesize
12KB
-
memory/1336-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1336-61-0x000000006FC51000-0x000000006FC53000-memory.dmpFilesize
8KB
-
memory/1336-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1356-79-0x0000000000000000-mapping.dmp
-
memory/1356-83-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1356-84-0x0000000001F60000-0x0000000002263000-memory.dmpFilesize
3.0MB
-
memory/1356-82-0x00000000009B0000-0x00000000009C8000-memory.dmpFilesize
96KB
-
memory/1356-85-0x0000000000900000-0x000000000098F000-memory.dmpFilesize
572KB
-
memory/1880-69-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1880-68-0x0000000000000000-mapping.dmp