Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-04-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
d801e424_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d801e424_by_Libranalysis.doc
Resource
win10v20210410
General
-
Target
d801e424_by_Libranalysis.doc
-
Size
10KB
-
MD5
d801e4244d30d948a98f68d37abbaed3
-
SHA1
0f82739fc9522c5b06f591df09755f98316fc7e4
-
SHA256
5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0
-
SHA512
187059596d5842fbf2db9ccc435964c554ffcf72b557815f39eed18ab5c37cab372e11cddae4b074744b9b97fca8e1325fb9d479330ee6a38923f14c74ef56d4
Malware Config
Extracted
xloader
2.3
http://www.gailrichardson.com/qjnt/
funeralinsurancetoppro.info
californiaredstate.com
xn--jpr220deud640b.com
playx.finance
siamfellow.com
tekirdagvethelp.com
forrealmodels.com
desenergie.info
whynotplus.com
graniteinaminute.com
satgurucolorlabs.com
potviper.com
racevx.xyz
thebluefishhotel.net
elletesla.com
4608capaydrive.com
buckhead-meat.com
garage-repair-near-me.com
ubique.works
markokuzmanovicpreduzetnik.com
crochenista.com
rivcodevelopment.com
houstonwingate.com
libertyss.com
ganaentunegocio.com
classicshopin.com
startrekepisode.com
phenomlearning.com
ionawilde.com
sembachtigers.info
gmngapp.com
frotaconceitos.com
chartingbtc.net
bandinella.com
warriormovers.com
pds-navi.com
warriornotesgolbalprayer.com
xjbpsh.net
akerii.com
p-col.com
qs-industrial.com
eoapdj.com
bhcsva.com
ndsplan.com
hdepo.com
sligogolfacademy.com
querofalardesaude.com
hanju163.com
gritchiecharcoal.com
investiose.info
lesmoulinsdunord.com
frienzmusic.com
fishfutur.com
learnaboutwhatsnext.com
pursuetech.online
rocknwink.com
afribus-sarl.com
2crazyc.com
qianyafs.com
slots-drift-casino.com
laayoune4seasons.com
relaxxation.com
halostreams.net
medconditions.net
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/280-72-0x000000000041D090-mapping.dmp xloader behavioral1/memory/280-71-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1608-84-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 1100 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 344 vbc.exe 280 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://cutt.ly/abfROoi WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1100 EQNEDT32.EXE 1100 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeipconfig.exedescription pid process target process PID 344 set thread context of 280 344 vbc.exe vbc.exe PID 280 set thread context of 1272 280 vbc.exe Explorer.EXE PID 1608 set thread context of 1272 1608 ipconfig.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1608 ipconfig.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1824 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
vbc.exeipconfig.exepid process 280 vbc.exe 280 vbc.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe 1608 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeipconfig.exepid process 280 vbc.exe 280 vbc.exe 280 vbc.exe 1608 ipconfig.exe 1608 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vbc.exeExplorer.EXEipconfig.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 280 vbc.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 1608 ipconfig.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1824 WINWORD.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEvbc.exepid process 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 1824 WINWORD.EXE 344 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEExplorer.EXEipconfig.exedescription pid process target process PID 1100 wrote to memory of 344 1100 EQNEDT32.EXE vbc.exe PID 1100 wrote to memory of 344 1100 EQNEDT32.EXE vbc.exe PID 1100 wrote to memory of 344 1100 EQNEDT32.EXE vbc.exe PID 1100 wrote to memory of 344 1100 EQNEDT32.EXE vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 344 wrote to memory of 280 344 vbc.exe vbc.exe PID 1824 wrote to memory of 1988 1824 WINWORD.EXE splwow64.exe PID 1824 wrote to memory of 1988 1824 WINWORD.EXE splwow64.exe PID 1824 wrote to memory of 1988 1824 WINWORD.EXE splwow64.exe PID 1824 wrote to memory of 1988 1824 WINWORD.EXE splwow64.exe PID 1272 wrote to memory of 1608 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 1608 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 1608 1272 Explorer.EXE ipconfig.exe PID 1272 wrote to memory of 1608 1272 Explorer.EXE ipconfig.exe PID 1608 wrote to memory of 1100 1608 ipconfig.exe cmd.exe PID 1608 wrote to memory of 1100 1608 ipconfig.exe cmd.exe PID 1608 wrote to memory of 1100 1608 ipconfig.exe cmd.exe PID 1608 wrote to memory of 1100 1608 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d801e424_by_Libranalysis.doc"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
1d0d4b1031abf4a7e6da58d81bc98d6b
SHA165ffa307e1b9888f83cc554c818ad5e061963d0b
SHA256ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852
SHA5121e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669
-
C:\Users\Public\vbc.exeMD5
1d0d4b1031abf4a7e6da58d81bc98d6b
SHA165ffa307e1b9888f83cc554c818ad5e061963d0b
SHA256ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852
SHA5121e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669
-
C:\Users\Public\vbc.exeMD5
1d0d4b1031abf4a7e6da58d81bc98d6b
SHA165ffa307e1b9888f83cc554c818ad5e061963d0b
SHA256ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852
SHA5121e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669
-
\Users\Public\vbc.exeMD5
1d0d4b1031abf4a7e6da58d81bc98d6b
SHA165ffa307e1b9888f83cc554c818ad5e061963d0b
SHA256ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852
SHA5121e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669
-
\Users\Public\vbc.exeMD5
1d0d4b1031abf4a7e6da58d81bc98d6b
SHA165ffa307e1b9888f83cc554c818ad5e061963d0b
SHA256ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852
SHA5121e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669
-
memory/280-71-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/280-78-0x00000000003D0000-0x00000000003E1000-memory.dmpFilesize
68KB
-
memory/280-77-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/280-72-0x000000000041D090-mapping.dmp
-
memory/344-66-0x0000000000000000-mapping.dmp
-
memory/1100-82-0x0000000000000000-mapping.dmp
-
memory/1100-63-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1272-79-0x0000000006B50000-0x0000000006CB2000-memory.dmpFilesize
1.4MB
-
memory/1272-87-0x0000000004990000-0x0000000004A40000-memory.dmpFilesize
704KB
-
memory/1608-84-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1608-80-0x0000000000000000-mapping.dmp
-
memory/1608-83-0x0000000000C50000-0x0000000000C5A000-memory.dmpFilesize
40KB
-
memory/1608-85-0x0000000002380000-0x0000000002683000-memory.dmpFilesize
3.0MB
-
memory/1608-86-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB
-
memory/1824-61-0x0000000070261000-0x0000000070263000-memory.dmpFilesize
8KB
-
memory/1824-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1824-60-0x00000000727E1000-0x00000000727E4000-memory.dmpFilesize
12KB
-
memory/1824-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1988-75-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmpFilesize
8KB
-
memory/1988-74-0x0000000000000000-mapping.dmp