Analysis
-
max time kernel
142s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-06-2021 02:24
Static task
static1
Behavioral task
behavioral1
Sample
Booking Confirmation.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Booking Confirmation.docx
Resource
win10v20210410
General
-
Target
Booking Confirmation.docx
-
Size
10KB
-
MD5
719d1eb8a4794b7e58802a43a1241e9c
-
SHA1
944fd5deccb84a8a810958ce45a105beaaf11b1f
-
SHA256
f65d63d34801ef0fdbd2b204a27cfaacca7e36dd9373553e2d6d901d493354d2
-
SHA512
95f2cde4dcda16134b04ed6489c026205a972b0f3060146c016223b0bb914f76ab62d89197d05ba1b8a06a284bfd0dd18da76b9b45e7b2cc91378601438032ef
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 12 652 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 760 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQZmn WINWORD.EXE -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 652 EQNEDT32.EXE 652 EQNEDT32.EXE 652 EQNEDT32.EXE 652 EQNEDT32.EXE 652 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 604 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEvbc.exepid process 604 WINWORD.EXE 604 WINWORD.EXE 760 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 652 wrote to memory of 760 652 EQNEDT32.EXE vbc.exe PID 652 wrote to memory of 760 652 EQNEDT32.EXE vbc.exe PID 652 wrote to memory of 760 652 EQNEDT32.EXE vbc.exe PID 652 wrote to memory of 760 652 EQNEDT32.EXE vbc.exe PID 604 wrote to memory of 1756 604 WINWORD.EXE splwow64.exe PID 604 wrote to memory of 1756 604 WINWORD.EXE splwow64.exe PID 604 wrote to memory of 1756 604 WINWORD.EXE splwow64.exe PID 604 wrote to memory of 1756 604 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
\Users\Public\vbc.exeMD5
788016c9072423914b96f0d15a61812d
SHA1040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
SHA512c9a75e6b54113d3d02c32d314ff76cc82b9bd4b88d07fec6b7636417e49184ebb691ecf63db3aac8dd4a96e49392959638c70ab20412f1c4454ac7963266c2c4
-
memory/604-60-0x000000006FEC1000-0x000000006FEC3000-memory.dmpFilesize
8KB
-
memory/604-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/604-59-0x0000000072441000-0x0000000072444000-memory.dmpFilesize
12KB
-
memory/652-62-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/760-68-0x0000000000000000-mapping.dmp
-
memory/760-74-0x0000000000310000-0x0000000000321000-memory.dmpFilesize
68KB
-
memory/1756-72-0x0000000000000000-mapping.dmp
-
memory/1756-73-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB