Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-04-2021 06:39
Static task
static1
Behavioral task
behavioral1
Sample
qbsubf8fng_AGOSTO_DOC21408001.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
qbsubf8fng_AGOSTO_DOC21408001.doc
Resource
win10v20210408
General
-
Target
qbsubf8fng_AGOSTO_DOC21408001.doc
-
Size
1.4MB
-
MD5
53a47a7554872f55e5d4cf09d9598b20
-
SHA1
6d8d37d0cdbfb96d79eb69e05766ee40393fcd63
-
SHA256
27ce70fee0c8e0e90e20dfd2f1e2db5d5a13b8857be1dfd2142f04ab77bc6510
-
SHA512
f8764308302ec4088ba5c2f6ea8efc06de66e771932d42a22b449fcfb32b3afc5fdf98a7417291cbef36cfcdbbf494b3983faa03bef43c3bb9c16a1bfb796f19
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 3 IoCs
Detects DiamondFox payload in file/memory.
Processes:
resource yara_rule behavioral1/memory/1336-74-0x0000000000400000-0x0000000000435000-memory.dmp diamondfox behavioral1/memory/1336-75-0x0000000000401000-mapping.dmp diamondfox behavioral1/memory/1336-79-0x0000000000400000-0x0000000000435000-memory.dmp diamondfox -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1696-87-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/1696-88-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/1696-91-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-87-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1696-88-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/1696-91-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1724 EQNEDT32.EXE 7 1724 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
69577.exe69577.exe69577.exepid process 992 69577.exe 1336 69577.exe 1696 69577.exe -
Drops startup file 2 IoCs
Processes:
69577.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69577.exe 69577.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69577.exe 69577.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1724 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
69577.exe69577.exedescription pid process target process PID 992 set thread context of 1336 992 69577.exe 69577.exe PID 1336 set thread context of 1696 1336 69577.exe 69577.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 484 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
69577.exe69577.exe69577.exepid process 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 992 69577.exe 1336 69577.exe 1696 69577.exe 1696 69577.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
69577.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 992 69577.exe Token: SeIncreaseQuotaPrivilege 292 wmic.exe Token: SeSecurityPrivilege 292 wmic.exe Token: SeTakeOwnershipPrivilege 292 wmic.exe Token: SeLoadDriverPrivilege 292 wmic.exe Token: SeSystemProfilePrivilege 292 wmic.exe Token: SeSystemtimePrivilege 292 wmic.exe Token: SeProfSingleProcessPrivilege 292 wmic.exe Token: SeIncBasePriorityPrivilege 292 wmic.exe Token: SeCreatePagefilePrivilege 292 wmic.exe Token: SeBackupPrivilege 292 wmic.exe Token: SeRestorePrivilege 292 wmic.exe Token: SeShutdownPrivilege 292 wmic.exe Token: SeDebugPrivilege 292 wmic.exe Token: SeSystemEnvironmentPrivilege 292 wmic.exe Token: SeRemoteShutdownPrivilege 292 wmic.exe Token: SeUndockPrivilege 292 wmic.exe Token: SeManageVolumePrivilege 292 wmic.exe Token: 33 292 wmic.exe Token: 34 292 wmic.exe Token: 35 292 wmic.exe Token: SeIncreaseQuotaPrivilege 292 wmic.exe Token: SeSecurityPrivilege 292 wmic.exe Token: SeTakeOwnershipPrivilege 292 wmic.exe Token: SeLoadDriverPrivilege 292 wmic.exe Token: SeSystemProfilePrivilege 292 wmic.exe Token: SeSystemtimePrivilege 292 wmic.exe Token: SeProfSingleProcessPrivilege 292 wmic.exe Token: SeIncBasePriorityPrivilege 292 wmic.exe Token: SeCreatePagefilePrivilege 292 wmic.exe Token: SeBackupPrivilege 292 wmic.exe Token: SeRestorePrivilege 292 wmic.exe Token: SeShutdownPrivilege 292 wmic.exe Token: SeDebugPrivilege 292 wmic.exe Token: SeSystemEnvironmentPrivilege 292 wmic.exe Token: SeRemoteShutdownPrivilege 292 wmic.exe Token: SeUndockPrivilege 292 wmic.exe Token: SeManageVolumePrivilege 292 wmic.exe Token: 33 292 wmic.exe Token: 34 292 wmic.exe Token: 35 292 wmic.exe Token: SeIncreaseQuotaPrivilege 928 wmic.exe Token: SeSecurityPrivilege 928 wmic.exe Token: SeTakeOwnershipPrivilege 928 wmic.exe Token: SeLoadDriverPrivilege 928 wmic.exe Token: SeSystemProfilePrivilege 928 wmic.exe Token: SeSystemtimePrivilege 928 wmic.exe Token: SeProfSingleProcessPrivilege 928 wmic.exe Token: SeIncBasePriorityPrivilege 928 wmic.exe Token: SeCreatePagefilePrivilege 928 wmic.exe Token: SeBackupPrivilege 928 wmic.exe Token: SeRestorePrivilege 928 wmic.exe Token: SeShutdownPrivilege 928 wmic.exe Token: SeDebugPrivilege 928 wmic.exe Token: SeSystemEnvironmentPrivilege 928 wmic.exe Token: SeRemoteShutdownPrivilege 928 wmic.exe Token: SeUndockPrivilege 928 wmic.exe Token: SeManageVolumePrivilege 928 wmic.exe Token: 33 928 wmic.exe Token: 34 928 wmic.exe Token: 35 928 wmic.exe Token: SeIncreaseQuotaPrivilege 928 wmic.exe Token: SeSecurityPrivilege 928 wmic.exe Token: SeTakeOwnershipPrivilege 928 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 484 WINWORD.EXE 484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exe69577.exedescription pid process target process PID 484 wrote to memory of 1996 484 WINWORD.EXE splwow64.exe PID 484 wrote to memory of 1996 484 WINWORD.EXE splwow64.exe PID 484 wrote to memory of 1996 484 WINWORD.EXE splwow64.exe PID 484 wrote to memory of 1996 484 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 992 1724 EQNEDT32.EXE 69577.exe PID 1724 wrote to memory of 992 1724 EQNEDT32.EXE 69577.exe PID 1724 wrote to memory of 992 1724 EQNEDT32.EXE 69577.exe PID 1724 wrote to memory of 992 1724 EQNEDT32.EXE 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 992 wrote to memory of 1336 992 69577.exe 69577.exe PID 1336 wrote to memory of 292 1336 69577.exe wmic.exe PID 1336 wrote to memory of 292 1336 69577.exe wmic.exe PID 1336 wrote to memory of 292 1336 69577.exe wmic.exe PID 1336 wrote to memory of 292 1336 69577.exe wmic.exe PID 1336 wrote to memory of 928 1336 69577.exe wmic.exe PID 1336 wrote to memory of 928 1336 69577.exe wmic.exe PID 1336 wrote to memory of 928 1336 69577.exe wmic.exe PID 1336 wrote to memory of 928 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1760 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1760 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1760 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1760 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1676 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1676 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1676 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1676 1336 69577.exe wmic.exe PID 1336 wrote to memory of 112 1336 69577.exe wmic.exe PID 1336 wrote to memory of 112 1336 69577.exe wmic.exe PID 1336 wrote to memory of 112 1336 69577.exe wmic.exe PID 1336 wrote to memory of 112 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1476 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1476 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1476 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1476 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1608 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1608 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1608 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1608 1336 69577.exe wmic.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe PID 1336 wrote to memory of 1696 1336 69577.exe 69577.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qbsubf8fng_AGOSTO_DOC21408001.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List4⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List4⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List4⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get StatusCode /FORMAT:List4⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get ResponseTime /FORMAT:List4⤵
-
C:\Users\Public\69577.exe/scomma "C:\Users\Public\1.log"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\1.logMD5
4f7d90f045ae07792fb8d76bce925854
SHA1c39b2866368f2c88c1865aa5577792bd2fb8bfe5
SHA256df74b997137fec63589828cafa9df9bfe272b330ffb8743fa4db79096a0fdc34
SHA5124ce48987acf465b7064d0162449eaf929b1e80dc760fe2da72e2841754a34536be5b2c17ade17d58e76c31bc9fdd6540820191395b9399287aabf4007274ae71
-
C:\Users\Public\69577.exeMD5
1f130569a8373dfae4f387d4757769cf
SHA1038f27c37ade7fcb97745e149b65258a7a1ea295
SHA256ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97
SHA5127401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3
-
C:\Users\Public\69577.exeMD5
1f130569a8373dfae4f387d4757769cf
SHA1038f27c37ade7fcb97745e149b65258a7a1ea295
SHA256ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97
SHA5127401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3
-
C:\Users\Public\69577.exeMD5
1f130569a8373dfae4f387d4757769cf
SHA1038f27c37ade7fcb97745e149b65258a7a1ea295
SHA256ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97
SHA5127401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3
-
C:\Users\Public\69577.exeMD5
1f130569a8373dfae4f387d4757769cf
SHA1038f27c37ade7fcb97745e149b65258a7a1ea295
SHA256ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97
SHA5127401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3
-
\Users\Public\69577.exeMD5
1f130569a8373dfae4f387d4757769cf
SHA1038f27c37ade7fcb97745e149b65258a7a1ea295
SHA256ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97
SHA5127401da486a4141efe362f3ba80299f3305e05866e7a04cad8a40107fe6a83765e4616af4ef6f6f40b605135cd34a3c48dedc6023ee32facfb8b4984f29cfa7b3
-
memory/112-83-0x0000000000000000-mapping.dmp
-
memory/292-78-0x0000000000000000-mapping.dmp
-
memory/484-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/484-60-0x0000000070701000-0x0000000070703000-memory.dmpFilesize
8KB
-
memory/484-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/484-59-0x0000000072C81000-0x0000000072C84000-memory.dmpFilesize
12KB
-
memory/928-80-0x0000000000000000-mapping.dmp
-
memory/992-66-0x0000000000000000-mapping.dmp
-
memory/992-72-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/992-69-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/992-73-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/992-71-0x00000000004F0000-0x000000000052F000-memory.dmpFilesize
252KB
-
memory/992-85-0x0000000004BE5000-0x0000000004BF6000-memory.dmpFilesize
68KB
-
memory/1336-75-0x0000000000401000-mapping.dmp
-
memory/1336-79-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1336-74-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1476-84-0x0000000000000000-mapping.dmp
-
memory/1608-86-0x0000000000000000-mapping.dmp
-
memory/1676-82-0x0000000000000000-mapping.dmp
-
memory/1696-87-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1696-88-0x00000000004466F4-mapping.dmp
-
memory/1696-91-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1724-64-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1760-81-0x0000000000000000-mapping.dmp
-
memory/1996-63-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1996-62-0x0000000000000000-mapping.dmp