Analysis
-
max time kernel
132s -
max time network
103s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-06-2021 05:50
Static task
static1
Behavioral task
behavioral1
Sample
Swift_Payment.MT103.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Swift_Payment.MT103.docx
Resource
win10v20210410
General
-
Target
Swift_Payment.MT103.docx
-
Size
10KB
-
MD5
92614cfd1b385cc6e38156a4ce269602
-
SHA1
b32113fc539912f706e55fefe7a91bb903e4d719
-
SHA256
65a0e831a9a7680b0440a3afbfa71e6ddef2e2745301953e168a02ecf4d6d3d4
-
SHA512
eabf4df35bcbc0fdff14ae447690434d88653586038075c50aa1f09d6f1fb34e0df1486487e9a9abc1a5275eac6cee82a92f55deba37a5fe63493bba0a9f11dd
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 12 1480 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 548 vbc.exe 1996 vbc.exe 1932 vbc.exe 916 vbc.exe 1320 vbc.exe 948 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://xy2.eu/e9yp WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1480 EQNEDT32.EXE 1480 EQNEDT32.EXE 1480 EQNEDT32.EXE 1480 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exepid process 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe 548 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 684 WINWORD.EXE Token: SeDebugPrivilege 548 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 684 WINWORD.EXE 684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1480 wrote to memory of 548 1480 EQNEDT32.EXE vbc.exe PID 1480 wrote to memory of 548 1480 EQNEDT32.EXE vbc.exe PID 1480 wrote to memory of 548 1480 EQNEDT32.EXE vbc.exe PID 1480 wrote to memory of 548 1480 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 1544 684 WINWORD.EXE splwow64.exe PID 684 wrote to memory of 1544 684 WINWORD.EXE splwow64.exe PID 684 wrote to memory of 1544 684 WINWORD.EXE splwow64.exe PID 684 wrote to memory of 1544 684 WINWORD.EXE splwow64.exe PID 548 wrote to memory of 1996 548 vbc.exe vbc.exe PID 548 wrote to memory of 1996 548 vbc.exe vbc.exe PID 548 wrote to memory of 1996 548 vbc.exe vbc.exe PID 548 wrote to memory of 1996 548 vbc.exe vbc.exe PID 548 wrote to memory of 1932 548 vbc.exe vbc.exe PID 548 wrote to memory of 1932 548 vbc.exe vbc.exe PID 548 wrote to memory of 1932 548 vbc.exe vbc.exe PID 548 wrote to memory of 1932 548 vbc.exe vbc.exe PID 548 wrote to memory of 916 548 vbc.exe vbc.exe PID 548 wrote to memory of 916 548 vbc.exe vbc.exe PID 548 wrote to memory of 916 548 vbc.exe vbc.exe PID 548 wrote to memory of 916 548 vbc.exe vbc.exe PID 548 wrote to memory of 1320 548 vbc.exe vbc.exe PID 548 wrote to memory of 1320 548 vbc.exe vbc.exe PID 548 wrote to memory of 1320 548 vbc.exe vbc.exe PID 548 wrote to memory of 1320 548 vbc.exe vbc.exe PID 548 wrote to memory of 948 548 vbc.exe vbc.exe PID 548 wrote to memory of 948 548 vbc.exe vbc.exe PID 548 wrote to memory of 948 548 vbc.exe vbc.exe PID 548 wrote to memory of 948 548 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift_Payment.MT103.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
C:\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
\Users\Public\vbc.exeMD5
b9032e2b7b07123f625f5d9e6e4f4796
SHA1a06bcdf6aab7fb82dad340465035549cd853e047
SHA256120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
SHA512a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6
-
memory/548-79-0x0000000001FC0000-0x0000000002009000-memory.dmpFilesize
292KB
-
memory/548-75-0x0000000000710000-0x000000000072E000-memory.dmpFilesize
120KB
-
memory/548-76-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/548-78-0x0000000004C70000-0x0000000004CFE000-memory.dmpFilesize
568KB
-
memory/548-71-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/548-68-0x0000000000000000-mapping.dmp
-
memory/684-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/684-60-0x00000000724F1000-0x00000000724F4000-memory.dmpFilesize
12KB
-
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/684-61-0x000000006FF71000-0x000000006FF73000-memory.dmpFilesize
8KB
-
memory/1480-63-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1544-73-0x0000000000000000-mapping.dmp
-
memory/1544-74-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB