Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-06-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
Resource
win10v20210408
General
-
Target
REQUEST URGENT INQUIRY Order No. BCM #03122020.docx
-
Size
10KB
-
MD5
cbe2bf1df01f128648e5fb90bb3f3c5f
-
SHA1
8917dd86f3c03bb10a4df45ef6a1bf012e10a897
-
SHA256
fd4201668cc230dca3ada4023264462745d786fdf81c4547cc41ef291fda318f
-
SHA512
8afc7de3a0d5659eecca7490a61c6963789d1d27bda501401242c8b58b333febf3be8efba609737188c2319043b6d0366bb7a54a5f8c2b5fb91840854b4f54da
Malware Config
Extracted
formbook
4.1
http://www.rocketschool.net/nf2/
avlholisticdentalcare.com
coolermassmedia.com
anythingneverything.net
maimaixiu.club
veyconcorp.com
rplelectro.com
koch-mannes.club
tecknetpro.com
getresurface.net
mertzengin.com
nbppfanzgn.com
508hill.com
ourdailydelights.com
aimeesambayan.com
productstoredt.com
doublelblonghorns.com
lucidcurriculum.com
thegoddessnow.com
qywqmjku.icu
yonibymina.com
fair-employer.institute
loundxgroup.com
grandcanyonbean.com
gmailanalytics.tools
e-deers.tech
gxbokee.com
saimeisteel.com
walnutcreekresidences.com
catalinaislandlodging.com
financassexy.com
wtuydga.icu
agrestorationil.com
guidenconsultants.com
annazon-pc.xyz
trinamorris.com
dealwiththeboss.com
touchedbyastar.com
myenduringlegacy.com
livegirlroom.com
managainstthegrain.com
wikige.com
muyiyang233.com
dopegraphicz.com
varietyarena.com
henohenomohej.com
wx323.com
k1ck1td0wn.com
fundsvalley.com
ebike-ny.com
xn--yedekparaclar-pgb62i.com
vidssea.com
wifiultraboostavis.com
exploitconstruction.com
freddeveld.com
kslux.com
couplealamo.icu
touchwood-card.com
k8vina51.com
thrivwnt.com
earlybirdwormfarm.com
hayyaabaya.com
holidayhomeinfrance.com
ssalmeria.com
nivxros.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1160-81-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1160-82-0x000000000041EB30-mapping.dmp formbook behavioral1/memory/1640-91-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 10 1848 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 752 vbc.exe 916 vbc.exe 1160 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://37.120.206.70/dom/d.wbk WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1848 EQNEDT32.EXE 1848 EQNEDT32.EXE 1848 EQNEDT32.EXE 1848 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmd.exedescription pid process target process PID 752 set thread context of 1160 752 vbc.exe vbc.exe PID 1160 set thread context of 1208 1160 vbc.exe Explorer.EXE PID 1640 set thread context of 1208 1640 cmd.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1948 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vbc.exevbc.execmd.exepid process 752 vbc.exe 752 vbc.exe 752 vbc.exe 1160 vbc.exe 1160 vbc.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmd.exepid process 1160 vbc.exe 1160 vbc.exe 1160 vbc.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WINWORD.EXEvbc.exevbc.execmd.exedescription pid process Token: SeShutdownPrivilege 1948 WINWORD.EXE Token: SeDebugPrivilege 752 vbc.exe Token: SeDebugPrivilege 1160 vbc.exe Token: SeDebugPrivilege 1640 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1948 WINWORD.EXE 1948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcmd.exedescription pid process target process PID 1848 wrote to memory of 752 1848 EQNEDT32.EXE vbc.exe PID 1848 wrote to memory of 752 1848 EQNEDT32.EXE vbc.exe PID 1848 wrote to memory of 752 1848 EQNEDT32.EXE vbc.exe PID 1848 wrote to memory of 752 1848 EQNEDT32.EXE vbc.exe PID 1948 wrote to memory of 1040 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1040 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1040 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1040 1948 WINWORD.EXE splwow64.exe PID 752 wrote to memory of 916 752 vbc.exe vbc.exe PID 752 wrote to memory of 916 752 vbc.exe vbc.exe PID 752 wrote to memory of 916 752 vbc.exe vbc.exe PID 752 wrote to memory of 916 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 752 wrote to memory of 1160 752 vbc.exe vbc.exe PID 1208 wrote to memory of 1640 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1640 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1640 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1640 1208 Explorer.EXE cmd.exe PID 1640 wrote to memory of 1676 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1676 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1676 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1676 1640 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\REQUEST URGENT INQUIRY Order No. BCM #03122020.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
C:\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
C:\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
C:\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
\Users\Public\vbc.exeMD5
caa1077d03ee5522c9f29ffce8551b0e
SHA17d4d49495ff71e244a85916fb64915a34b1ba67c
SHA2569577374f647802bfb3e6c06622895af1d2bd19d3b4b0cdbefa807c64f6022c04
SHA51250f0b75a7de213275afe2746dfbe969b7ef903552cbe0596154437b8711e4f079f0054618bcd6771a553980173c7878debb4cb8a568950fef4e39390efdb2cd0
-
memory/752-68-0x0000000000000000-mapping.dmp
-
memory/752-78-0x0000000004DD0000-0x0000000004E49000-memory.dmpFilesize
484KB
-
memory/752-79-0x00000000008A0000-0x00000000008D7000-memory.dmpFilesize
220KB
-
memory/752-71-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/752-75-0x0000000000680000-0x0000000000694000-memory.dmpFilesize
80KB
-
memory/752-76-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1040-73-0x0000000000000000-mapping.dmp
-
memory/1040-74-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1160-86-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1160-81-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1160-85-0x0000000000AF0000-0x0000000000DF3000-memory.dmpFilesize
3.0MB
-
memory/1160-82-0x000000000041EB30-mapping.dmp
-
memory/1208-87-0x0000000006150000-0x00000000062FA000-memory.dmpFilesize
1.7MB
-
memory/1208-94-0x00000000044A0000-0x0000000004587000-memory.dmpFilesize
924KB
-
memory/1640-88-0x0000000000000000-mapping.dmp
-
memory/1640-90-0x000000004A030000-0x000000004A07C000-memory.dmpFilesize
304KB
-
memory/1640-91-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1640-92-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/1640-93-0x0000000001E30000-0x0000000001EC3000-memory.dmpFilesize
588KB
-
memory/1676-89-0x0000000000000000-mapping.dmp
-
memory/1848-63-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1948-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1948-61-0x000000006FD31000-0x000000006FD33000-memory.dmpFilesize
8KB
-
memory/1948-60-0x00000000722B1000-0x00000000722B4000-memory.dmpFilesize
12KB
-
memory/1948-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB