Analysis
-
max time kernel
118s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
OMSMarineServices_order.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
OMSMarineServices_order.xlsx
Resource
win10v20210408
General
-
Target
OMSMarineServices_order.xlsx
-
Size
466KB
-
MD5
24bd4a3d25c469bb138fb16e587dbf02
-
SHA1
563d37fde327ea4fb70fa3959079f72161711722
-
SHA256
6f8debb6acde9b5b878188327ea348102cc125e8f72245f79fb39967821a91fa
-
SHA512
cb05bdf0fb51ef2fe2a7f93f2c32f3a8ebe3c720642052c2cdc1eda9ba3c5bcd555187d890df5f41d83229d0081a874c1ae6c1e2252a30880dd1450cf1bbd883
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 2004 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1032 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2004 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 772 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exepowershell.exepid process 1032 vbc.exe 1032 vbc.exe 1724 powershell.exe 1724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exepowershell.exedescription pid process Token: SeDebugPrivilege 1032 vbc.exe Token: SeDebugPrivilege 1724 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 2004 wrote to memory of 1032 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 1032 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 1032 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 1032 2004 EQNEDT32.EXE vbc.exe PID 1032 wrote to memory of 1724 1032 vbc.exe powershell.exe PID 1032 wrote to memory of 1724 1032 vbc.exe powershell.exe PID 1032 wrote to memory of 1724 1032 vbc.exe powershell.exe PID 1032 wrote to memory of 1724 1032 vbc.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\OMSMarineServices_order.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\vbc.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
646779120efc366e99baa0192686792c
SHA1e21d0d024da6b35e54eac701c90b842e7eee03fc
SHA256dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b
SHA51212b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c
-
C:\Users\Public\vbc.exeMD5
646779120efc366e99baa0192686792c
SHA1e21d0d024da6b35e54eac701c90b842e7eee03fc
SHA256dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b
SHA51212b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c
-
\Users\Public\vbc.exeMD5
646779120efc366e99baa0192686792c
SHA1e21d0d024da6b35e54eac701c90b842e7eee03fc
SHA256dc3c1973fe3b70968950859dfeb566fd92b3a7eb50dcd3517fcb193202c3022b
SHA51212b5f4d55c0bb23e7c169feb04147de174d05fd4fba8ed9293b5e40055a64832b48716127484bd4e6e77c0f4b9bd0a221a63eea661415243efd6d6e722bfa00c
-
memory/772-61-0x0000000071981000-0x0000000071983000-memory.dmpFilesize
8KB
-
memory/772-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/772-60-0x000000002F151000-0x000000002F154000-memory.dmpFilesize
12KB
-
memory/772-72-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1032-77-0x0000000004EC5000-0x0000000004ED6000-memory.dmpFilesize
68KB
-
memory/1032-68-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1032-70-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1032-71-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/1032-65-0x0000000000000000-mapping.dmp
-
memory/1032-73-0x0000000005B90000-0x0000000005C01000-memory.dmpFilesize
452KB
-
memory/1032-74-0x0000000005C10000-0x0000000005C79000-memory.dmpFilesize
420KB
-
memory/1724-75-0x0000000000000000-mapping.dmp
-
memory/1724-83-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1724-78-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/1724-79-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/1724-80-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/1724-81-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/1724-82-0x00000000011E2000-0x00000000011E3000-memory.dmpFilesize
4KB
-
memory/1724-116-0x00000000065D0000-0x00000000065D1000-memory.dmpFilesize
4KB
-
memory/1724-86-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1724-91-0x00000000060B0000-0x00000000060B1000-memory.dmpFilesize
4KB
-
memory/1724-92-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1724-93-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/1724-100-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1724-101-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/1724-115-0x00000000065C0000-0x00000000065C1000-memory.dmpFilesize
4KB
-
memory/2004-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB