Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-06-2021 10:33
Static task
static1
Behavioral task
behavioral1
Sample
PO523.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PO523.docx
Resource
win10v20210408
General
-
Target
PO523.docx
-
Size
10KB
-
MD5
e4afa614fdf22dbbbc6827eaae382588
-
SHA1
68169a695313e88ef1e8f55ece0652ec592c85f4
-
SHA256
e030587e4c5e9109c8e7647da36ffa7ba97b0ee1a1a1039ee7cb1f0927d3e14b
-
SHA512
47b7a48b530dff2b412db333a358c90627cb3a55de82ba576ab410f3bd4813616f1371e37037bda58ca061d1eddd3a0b30f79f4df3340e403ddc0ca21f7b258a
Malware Config
Extracted
formbook
4.1
http://www.girlsnightbag.com/dms/
commachic.com
accessremits.com
dopefight.com
awdinfo.com
nguyenanhnhat.com
mailposse.com
teachingpart-time.com
nurseryhost.com
creamstudiosmedellin.com
analisisproject.com
sanfranciscotraining.com
elitestatusconsulting.com
liguosucai.com
aterrior.com
estudiowoodpecker.com
float10x10.com
sbcforward.info
beyondthetrench.com
pavingllc.com
womensspecialcare.com
purpose-power-peace.com
garaurepresent.com
inekasphotography.com
classimusic.com
royalsupport18.com
feelbeautifulwithdee.co.uk
jbxdc.com
cad11.com
carweekoutlaws.com
portprive.email
modoo-cash.com
the-selfie-masters.com
insuranceneedsdmv.com
levanahjoyas.com
tn-adrc.com
dgbkny.com
fartifications.com
oguzfreze.com
malikman.com
fiestamexicanasalsa.com
shrinkedfact.com
flatnoseranch.com
midwestsolutions.net
putwild.xyz
ftlauderdaleaesthetics.com
losfundadoresreliquia.com
1835a.com
thefemalephilosopherartist.com
rrplun.com
dealbasis.com
monashishaland.com
walterlotz.com
dettagliperu.com
ispartareklamajansi.com
minemeapp.com
arbhost.info
theoptimistheart.com
alquilerautocaravanas.net
upclubmusic.com
jygraphics.com
thermalerosion.com
preipowealthbuilding.com
ownthelightbetweenoceans.com
nivxros.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-79-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1380-80-0x000000000041EC20-mapping.dmp formbook behavioral1/memory/1672-89-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 1108 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1056 vbc.exe 1380 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://37.120.206.70/Mend/m.wbk WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewininit.exedescription pid process target process PID 1056 set thread context of 1380 1056 vbc.exe vbc.exe PID 1380 set thread context of 1208 1380 vbc.exe Explorer.EXE PID 1672 set thread context of 1208 1672 wininit.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vbc.exevbc.exewininit.exepid process 1056 vbc.exe 1380 vbc.exe 1380 vbc.exe 1672 wininit.exe 1672 wininit.exe 1672 wininit.exe 1672 wininit.exe 1672 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewininit.exepid process 1380 vbc.exe 1380 vbc.exe 1380 vbc.exe 1672 wininit.exe 1672 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WINWORD.EXEvbc.exevbc.exewininit.exedescription pid process Token: SeShutdownPrivilege 1656 WINWORD.EXE Token: SeDebugPrivilege 1056 vbc.exe Token: SeDebugPrivilege 1380 vbc.exe Token: SeDebugPrivilege 1672 wininit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEwininit.exedescription pid process target process PID 1108 wrote to memory of 1056 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1056 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1056 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1056 1108 EQNEDT32.EXE vbc.exe PID 1656 wrote to memory of 1552 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1552 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1552 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1552 1656 WINWORD.EXE splwow64.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1056 wrote to memory of 1380 1056 vbc.exe vbc.exe PID 1208 wrote to memory of 1672 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1672 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1672 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1672 1208 Explorer.EXE wininit.exe PID 1672 wrote to memory of 1840 1672 wininit.exe cmd.exe PID 1672 wrote to memory of 1840 1672 wininit.exe cmd.exe PID 1672 wrote to memory of 1840 1672 wininit.exe cmd.exe PID 1672 wrote to memory of 1840 1672 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO523.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
C:\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
C:\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
\Users\Public\vbc.exeMD5
af48e96aad0bbe98474261f6b2e98a49
SHA1989fdbbb07399a9655719b12d2f432c9af5d247f
SHA256eca743d09cc8551e9695be6fd6a7366db1751eac8872b6a3f384e61b56d0f25b
SHA5128ae6569004532d26b348db297e8f567844f05dbd61a4e6c8959d6de515f28c7f8fea120f7689eb6d8883eb597e989afb1d7bdeeff4891d088ef2900fcd389bf5
-
memory/1056-74-0x00000000005A0000-0x00000000005BE000-memory.dmpFilesize
120KB
-
memory/1056-67-0x0000000000000000-mapping.dmp
-
memory/1056-78-0x0000000002090000-0x00000000020D1000-memory.dmpFilesize
260KB
-
memory/1056-70-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/1056-77-0x0000000005130000-0x00000000051B6000-memory.dmpFilesize
536KB
-
memory/1056-75-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1108-62-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1208-85-0x0000000004400000-0x00000000044F8000-memory.dmpFilesize
992KB
-
memory/1208-92-0x0000000004D30000-0x0000000004E56000-memory.dmpFilesize
1.1MB
-
memory/1380-83-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/1380-80-0x000000000041EC20-mapping.dmp
-
memory/1380-79-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1380-84-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/1552-72-0x0000000000000000-mapping.dmp
-
memory/1552-73-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/1656-59-0x0000000072491000-0x0000000072494000-memory.dmpFilesize
12KB
-
memory/1656-60-0x000000006FF11000-0x000000006FF13000-memory.dmpFilesize
8KB
-
memory/1656-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1656-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1672-86-0x0000000000000000-mapping.dmp
-
memory/1672-88-0x0000000000480000-0x000000000049A000-memory.dmpFilesize
104KB
-
memory/1672-89-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1672-90-0x0000000001E90000-0x0000000002193000-memory.dmpFilesize
3.0MB
-
memory/1672-91-0x0000000002240000-0x00000000022D3000-memory.dmpFilesize
588KB
-
memory/1840-87-0x0000000000000000-mapping.dmp