Analysis
-
max time kernel
138s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29-04-2021 05:53
Static task
static1
Behavioral task
behavioral1
Sample
remittance advice.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
remittance advice.docx
Resource
win10v20210408
General
-
Target
remittance advice.docx
-
Size
10KB
-
MD5
2af49a1a11b912f47a1f5c48ba164ed1
-
SHA1
ad0466cc2e11093139e94cf2ecd1ba0b0443eb30
-
SHA256
100636e87d7ac9e5f4b98ad3028b942e04956284f3fb57d7573c6af6c8316d79
-
SHA512
d62be458783eb5ae3fd555206d538f0005f56771c98ebf98582a5fea62e6819a8cf593906d552f2eb4399f7b186ac571d940ead5c0f80b8b8757f4346a2fe5e5
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 14 536 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 740 vbc.exe 1296 vbc.exe 1672 vbc.exe 1496 vbc.exe 1628 vbc.exe 2028 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://is.gd/RwhzMw WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 536 EQNEDT32.EXE 536 EQNEDT32.EXE 536 EQNEDT32.EXE 536 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exepid process 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe 740 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1684 WINWORD.EXE Token: SeDebugPrivilege 740 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1684 WINWORD.EXE 1684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 536 wrote to memory of 740 536 EQNEDT32.EXE vbc.exe PID 536 wrote to memory of 740 536 EQNEDT32.EXE vbc.exe PID 536 wrote to memory of 740 536 EQNEDT32.EXE vbc.exe PID 536 wrote to memory of 740 536 EQNEDT32.EXE vbc.exe PID 1684 wrote to memory of 1624 1684 WINWORD.EXE splwow64.exe PID 1684 wrote to memory of 1624 1684 WINWORD.EXE splwow64.exe PID 1684 wrote to memory of 1624 1684 WINWORD.EXE splwow64.exe PID 1684 wrote to memory of 1624 1684 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 1296 740 vbc.exe vbc.exe PID 740 wrote to memory of 1296 740 vbc.exe vbc.exe PID 740 wrote to memory of 1296 740 vbc.exe vbc.exe PID 740 wrote to memory of 1296 740 vbc.exe vbc.exe PID 740 wrote to memory of 1672 740 vbc.exe vbc.exe PID 740 wrote to memory of 1672 740 vbc.exe vbc.exe PID 740 wrote to memory of 1672 740 vbc.exe vbc.exe PID 740 wrote to memory of 1672 740 vbc.exe vbc.exe PID 740 wrote to memory of 1496 740 vbc.exe vbc.exe PID 740 wrote to memory of 1496 740 vbc.exe vbc.exe PID 740 wrote to memory of 1496 740 vbc.exe vbc.exe PID 740 wrote to memory of 1496 740 vbc.exe vbc.exe PID 740 wrote to memory of 1628 740 vbc.exe vbc.exe PID 740 wrote to memory of 1628 740 vbc.exe vbc.exe PID 740 wrote to memory of 1628 740 vbc.exe vbc.exe PID 740 wrote to memory of 1628 740 vbc.exe vbc.exe PID 740 wrote to memory of 2028 740 vbc.exe vbc.exe PID 740 wrote to memory of 2028 740 vbc.exe vbc.exe PID 740 wrote to memory of 2028 740 vbc.exe vbc.exe PID 740 wrote to memory of 2028 740 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\remittance advice.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
C:\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
\Users\Public\vbc.exeMD5
0b43c829af2eb773a3614b02ba5b8c5f
SHA1bc55a69ca1a72f9f0761112c05b3938aebad1c43
SHA25625b6f68e2bf505cfde67c533f5d12e869b30efe831fa82fd91c2c29f59fc77ac
SHA512b217e62b84ee1ff57bb71195a0758ead6821c3cd21b9d48b710cc0a972b2740001e87edeaa22dd10800446ec15733ef5fa51eb58f2ca6d3129b351d9d2c99402
-
memory/536-63-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/740-73-0x0000000001E40000-0x0000000001E41000-memory.dmpFilesize
4KB
-
memory/740-76-0x0000000000460000-0x000000000046D000-memory.dmpFilesize
52KB
-
memory/740-78-0x00000000051D0000-0x0000000005240000-memory.dmpFilesize
448KB
-
memory/740-79-0x0000000001E80000-0x0000000001EAE000-memory.dmpFilesize
184KB
-
memory/740-71-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/740-68-0x0000000000000000-mapping.dmp
-
memory/1624-74-0x0000000000000000-mapping.dmp
-
memory/1624-75-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1684-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1684-60-0x0000000072DE1000-0x0000000072DE4000-memory.dmpFilesize
12KB
-
memory/1684-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1684-61-0x0000000070861000-0x0000000070863000-memory.dmpFilesize
8KB