Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 13:02
Static task
static1
Behavioral task
behavioral1
Sample
01efad1d_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
01efad1d_by_Libranalysis.doc
Resource
win10v20210410
General
-
Target
01efad1d_by_Libranalysis.doc
-
Size
10KB
-
MD5
01efad1d21685954881771187b7c89a3
-
SHA1
27a25eb720a4463bc31ce42d344cb42e634c3ef8
-
SHA256
43b70d6f8bd360f7ad9bcb4f9f0bd70adbab27a733d27ec320168e1a127d8481
-
SHA512
80e44521033828bcd8943870d751139ae76b38e2d02f3dce8ac56df322c2ebc70d92fb8036850be373e8f0e23c4649a3b774523a3431cf59888a42e2c5e1e955
Malware Config
Extracted
xloader
2.3
http://www.cats16.com/8u3b/
pipienta.com
wisdomfest.net
jenniferreich.com
bigcanoehomesforless.com
kayandbernard.com
offerbuildingsecrets.com
benleefoto.com
contactlesssoftware.tech
statenislandplumbing.info
lifestylemedicineservices.com
blazerplanning.com
fnatic-skins.club
effectivemarketinginc.com
babyshopit.com
2000deal.com
k12paymentcemter.com
spwakd.com
lesreponses.com
abundando.com
hawkspremierfhc.com
midwestmadeclothing.com
kamuakuinisiapa.com
swirlingheadjewelry.com
donelys.com
stiloksero.com
hoangphucsolar.com
gb-contracting.com
girlboyfriends.com
decadejam.com
glassfullcoffee.com
todoparaconstruccion.com
anygivenrunday.com
newgalaxyindia.com
dahlonegaforless.com
blue-light.tech
web-evo.com
armmotive.com
mollysmulligan.com
penislandbrewer.com
wgrimao.com
dxm-int.net
sarmaayagroup.com
timbraunmusician.com
amazoncovid19tracer.com
peaknband.com
pyqxlz.com
palomachurch.com
surfboardwarehouse.net
burundiacademyst.com
pltcoin.com
workinglifestyle.com
vickybowskill.com
ottawahomevalues.info
jtrainterrain.com
francescoiocca.com
metallitypiercing.com
lashsavings.com
discjockeydelraybeach.com
indicraftsvilla.com
tbq.xyz
arfjkacsgatfzbazpdth.com
appsend.online
cunerier.com
orospucocuguatmaca.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1532-81-0x000000000041D0A0-mapping.dmp xloader behavioral1/memory/1532-80-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 376 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 112 vbc.exe 1532 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://will.kasraz.com/a/d.dot WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 376 EQNEDT32.EXE 376 EQNEDT32.EXE 376 EQNEDT32.EXE 376 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
vbc.exevbc.exedescription pid process target process PID 112 set thread context of 1532 112 vbc.exe vbc.exe PID 1532 set thread context of 1200 1532 vbc.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1532 vbc.exe 1532 vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vbc.exepid process 1532 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1840 WINWORD.EXE Token: SeDebugPrivilege 1532 vbc.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEdescription pid process target process PID 376 wrote to memory of 112 376 EQNEDT32.EXE vbc.exe PID 376 wrote to memory of 112 376 EQNEDT32.EXE vbc.exe PID 376 wrote to memory of 112 376 EQNEDT32.EXE vbc.exe PID 376 wrote to memory of 112 376 EQNEDT32.EXE vbc.exe PID 1840 wrote to memory of 944 1840 WINWORD.EXE splwow64.exe PID 1840 wrote to memory of 944 1840 WINWORD.EXE splwow64.exe PID 1840 wrote to memory of 944 1840 WINWORD.EXE splwow64.exe PID 1840 wrote to memory of 944 1840 WINWORD.EXE splwow64.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 112 wrote to memory of 1532 112 vbc.exe vbc.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1976 1200 Explorer.EXE msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01efad1d_by_Libranalysis.doc"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
C:\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
C:\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
\Users\Public\vbc.exeMD5
74ed218c2c421e3978445a1edbe40a08
SHA116d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
SHA5120cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6
-
memory/112-79-0x0000000005260000-0x00000000052C2000-memory.dmpFilesize
392KB
-
memory/112-78-0x00000000051B0000-0x0000000005258000-memory.dmpFilesize
672KB
-
memory/112-71-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/112-75-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/112-76-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/112-68-0x0000000000000000-mapping.dmp
-
memory/376-63-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/944-73-0x0000000000000000-mapping.dmp
-
memory/944-74-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/1200-86-0x0000000006450000-0x00000000065F1000-memory.dmpFilesize
1.6MB
-
memory/1532-80-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1532-81-0x000000000041D0A0-mapping.dmp
-
memory/1532-84-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/1532-85-0x0000000000360000-0x0000000000371000-memory.dmpFilesize
68KB
-
memory/1840-60-0x0000000072AB1000-0x0000000072AB4000-memory.dmpFilesize
12KB
-
memory/1840-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1840-61-0x0000000070531000-0x0000000070533000-memory.dmpFilesize
8KB
-
memory/1840-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB