Analysis

  • max time kernel
    138s
  • max time network
    114s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    29-04-2021 05:53

General

  • Target

    remittance advice.docx

  • Size

    10KB

  • MD5

    2af49a1a11b912f47a1f5c48ba164ed1

  • SHA1

    ad0466cc2e11093139e94cf2ecd1ba0b0443eb30

  • SHA256

    100636e87d7ac9e5f4b98ad3028b942e04956284f3fb57d7573c6af6c8316d79

  • SHA512

    d62be458783eb5ae3fd555206d538f0005f56771c98ebf98582a5fea62e6819a8cf593906d552f2eb4399f7b186ac571d940ead5c0f80b8b8757f4346a2fe5e5

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\remittance advice.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1624
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1296
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1496
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1672
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1628
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:2028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • C:\Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • \Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • \Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • \Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • \Users\Public\vbc.exe
      MD5

      0b43c829af2eb773a3614b02ba5b8c5f

      SHA1

      bc55a69ca1a72f9f0761112c05b3938aebad1c43

      SHA256

      25b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac

      SHA512

      b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402

    • memory/536-63-0x0000000075B31000-0x0000000075B33000-memory.dmp
      Filesize

      8KB

    • memory/740-73-0x0000000001E40000-0x0000000001E41000-memory.dmp
      Filesize

      4KB

    • memory/740-76-0x0000000000460000-0x000000000046D000-memory.dmp
      Filesize

      52KB

    • memory/740-78-0x00000000051D0000-0x0000000005240000-memory.dmp
      Filesize

      448KB

    • memory/740-79-0x0000000001E80000-0x0000000001EAE000-memory.dmp
      Filesize

      184KB

    • memory/740-71-0x00000000003A0000-0x00000000003A1000-memory.dmp
      Filesize

      4KB

    • memory/740-68-0x0000000000000000-mapping.dmp
    • memory/1624-74-0x0000000000000000-mapping.dmp
    • memory/1624-75-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp
      Filesize

      8KB

    • memory/1684-77-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1684-60-0x0000000072DE1000-0x0000000072DE4000-memory.dmp
      Filesize

      12KB

    • memory/1684-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1684-61-0x0000000070861000-0x0000000070863000-memory.dmp
      Filesize

      8KB