Overview

overview

10

Static

static

10

Booking Co...n.docx

windows7_x64

8

Booking Co...n.docx

windows10_x64

1

Analysis

  • max time kernel
    142s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    08-06-2021 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking Confirmation.docx

  • Size

    10KB

  • MD5

    719d1eb8a4794b7e58802a43a1241e9c

  • SHA1

    944fd5deccb84a8a810958ce45a105beaaf11b1f

  • SHA256

    f65d63d34801ef0fdbd2b204a27cfaacca7e36dd9373553e2d6d901d493354d2

  • SHA512

    95f2cde4dcda16134b04ed6489c026205a972b0f3060146c016223b0bb914f76ab62d89197d05ba1b8a06a284bfd0dd18da76b9b45e7b2cc91378601438032ef

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1756
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:760

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      788016c9072423914b96f0d15a61812d

      SHA1

      040f85b4ef512bb74990becfa1a5029f92eb65c7

      SHA256

      df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4

      SHA512

      c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4

      Download Submit
    • memory/604-60-0x000000006FEC1000-0x000000006FEC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/604-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/604-59-0x0000000072441000-0x0000000072444000-memory.dmp
      Filesize

      12KB

      Download
    • memory/652-62-0x0000000075211000-0x0000000075213000-memory.dmp
      Filesize

      8KB

      Download
    • memory/760-68-0x0000000000000000-mapping.dmp
      Download
    • memory/760-74-0x0000000000310000-0x0000000000321000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1756-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1756-73-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
      Filesize

      8KB

      Download