Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 04:13
Static task
static1
Behavioral task
behavioral1
Sample
payment-000598635.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
payment-000598635.docx
Resource
win10v20210410
General
-
Target
payment-000598635.docx
-
Size
10KB
-
MD5
5c73df1769f5842ee5810e849f76479c
-
SHA1
72282281170957eebefe050b767e9d25b0263ca9
-
SHA256
7ee841fa5f82f3b229064a75f3454d595899132f93a5d77045cd4786d03615de
-
SHA512
67471217d91696acc7bd0a1245606f35ebb76df8f09dc17aaef854971df059b76abb6a8c4134ea7e7003dcdf3a3ba5657d3d645f4029e7c1bb18900adbc4e893
Malware Config
Extracted
xloader
2.3
http://www.apluspro.online/bgnq/
customsclearingagents.com
vsemasteraokon.online
seeheresthething.com
chozamtravel.com
cjkustom.com
djeffexla.com
survivingks.com
rokascapitalmanagement.net
tekdesignlimited.com
1499parkave.com
fontanerosboadilla.com
jesusencounterminisries.com
uouhodler.com
cordstraw.com
dab50074.com
sarahleinartstore.com
inawinnebago.com
wassersportzentrum.online
giselabustamante.com
gulaturun.com
help4americanheroes.com
manuellandmann.com
togshot.com
indapolisitaiik.com
equilibriumarket.com
toucanwellness.com
piyboo.com
zoom4k.xyz
babe-boutique.com
f28smart.com
lawrencepestcontrolpros.com
yeethong.com
thewowwomen.com
priscillamaury.com
curtex.info
jennifernealtarot.com
atiqherbal.com
geraldgulley.com
jenniferlarmstrong.com
imaymei.com
electricporsche986.com
mikeahenry.com
colinscotflorals.com
01cheshi.com
hellofresh.club
infinitegrowthmarketing.com
kuryeforum.xyz
khalifehlivestock.com
biryanished.com
originallionqueen.com
tajigroup.com
instuctur.com
pennyfishdesigns.com
dulceespera.net
corporate-hero.com
sensers.club
unionbayblog.com
romaindaubord.com
kwrecruitment.com
hostingforphotographers.com
107001.com
lovelaughwine.com
simplyhealrhcareplans.com
thedoubletwelve.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1232-83-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1232-84-0x000000000041D090-mapping.dmp xloader behavioral1/memory/1636-94-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 15 1680 EQNEDT32.EXE 16 1680 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1760 vbc.exe 1232 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://is.gd/2x73Dx WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1680 EQNEDT32.EXE 1680 EQNEDT32.EXE 1680 EQNEDT32.EXE 1680 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exerundll32.exedescription pid process target process PID 1760 set thread context of 1232 1760 vbc.exe vbc.exe PID 1232 set thread context of 1268 1232 vbc.exe Explorer.EXE PID 1636 set thread context of 1268 1636 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
vbc.exerundll32.exepid process 1232 vbc.exe 1232 vbc.exe 1636 rundll32.exe 1636 rundll32.exe 1636 rundll32.exe 1636 rundll32.exe 1636 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exerundll32.exepid process 1232 vbc.exe 1232 vbc.exe 1232 vbc.exe 1636 rundll32.exe 1636 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WINWORD.EXEvbc.exerundll32.exedescription pid process Token: SeShutdownPrivilege 784 WINWORD.EXE Token: SeDebugPrivilege 1232 vbc.exe Token: SeDebugPrivilege 1636 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE 784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXErundll32.exedescription pid process target process PID 1680 wrote to memory of 1760 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1760 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1760 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1760 1680 EQNEDT32.EXE vbc.exe PID 784 wrote to memory of 1700 784 WINWORD.EXE splwow64.exe PID 784 wrote to memory of 1700 784 WINWORD.EXE splwow64.exe PID 784 wrote to memory of 1700 784 WINWORD.EXE splwow64.exe PID 784 wrote to memory of 1700 784 WINWORD.EXE splwow64.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 1232 1760 vbc.exe vbc.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1636 1268 Explorer.EXE rundll32.exe PID 1636 wrote to memory of 1472 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 1472 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 1472 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 1472 1636 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\payment-000598635.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
f0704d234d472b13e856f90d8649806d
SHA18b7a926407506c3c3741ca3ff709986d5f1a2387
SHA2566c3cf8e4e67fb4ea86c48e918d6ebdecc2b4903553798d1e0e1fcb73376105dc
SHA512a1cacc0dd2b0f4ffdf082980d288e98c493a6581f09265e13b9f94f9efcc7bb4300aa7346e533761315237038990646d267b0b43ca2e71fabd3c6a9d92ee93e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
dcf3106d96d2b26426e5bb52fae5b860
SHA1fc3524f22fe9d490bb226551b609b0661467aebc
SHA256eed6ae3690a68553bb2f6ff60513f5e61efc67c7371f24c4aec979e348a10425
SHA512ce4ce21d0741cd71a3de83054934ff51b46225fe43eceeffdd844bd82d4d5c1f441cea687534cdf4b860fbe9b2f42131845819e0851b74da2962881aa28bbe2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
0efdfa7b0372c90ad14de334d2d6b7e9
SHA1b8ff254645904ba4f667d0a428276eb9adf7f547
SHA256f2edd8d8bc1ba12b68a99b938a6df7ed03299229faf6bc4af8ffdbbc445246df
SHA512642f9720c9bf6cb264bdd795c45244d527bd679799728d3032c4fa4356e6ba9f2e393f0032562e09c447dcbcd2d0272513e5fee7cd12eb26e1c5df5800a92fb0
-
C:\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
C:\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
C:\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
\Users\Public\vbc.exeMD5
020adea3f32c15a0dc4a23522798c3f2
SHA188378c179cc71548d98eb0500829019be8f22dcb
SHA256e3404e10a2f6b9abb35ab5869a8c78167c82b72815bc59983cd018170412d53d
SHA5121a903bfebf8c75dd08e5907f3fcacfc44635df1a1563b2cbab704ee6d5370b350600c1d23921aac0d20b69a2033d4aad6131ec7e5971b46d7445dc93536370d8
-
memory/784-60-0x0000000072391000-0x0000000072394000-memory.dmpFilesize
12KB
-
memory/784-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/784-61-0x000000006FE11000-0x000000006FE13000-memory.dmpFilesize
8KB
-
memory/784-80-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1232-83-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1232-88-0x0000000000210000-0x0000000000221000-memory.dmpFilesize
68KB
-
memory/1232-87-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1232-84-0x000000000041D090-mapping.dmp
-
memory/1268-97-0x0000000006190000-0x0000000006297000-memory.dmpFilesize
1.0MB
-
memory/1268-89-0x00000000060C0000-0x000000000618C000-memory.dmpFilesize
816KB
-
memory/1472-92-0x0000000000000000-mapping.dmp
-
memory/1636-95-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1636-90-0x0000000000000000-mapping.dmp
-
memory/1636-94-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1636-93-0x0000000000800000-0x000000000080E000-memory.dmpFilesize
56KB
-
memory/1636-96-0x0000000001E30000-0x0000000001EC0000-memory.dmpFilesize
576KB
-
memory/1680-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/1700-76-0x0000000000000000-mapping.dmp
-
memory/1700-77-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1760-82-0x0000000004650000-0x00000000046B5000-memory.dmpFilesize
404KB
-
memory/1760-81-0x0000000005040000-0x00000000050E8000-memory.dmpFilesize
672KB
-
memory/1760-79-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/1760-78-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/1760-74-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1760-71-0x0000000000000000-mapping.dmp