65a0e831a9a7680b0440a3afbfa71e6ddef2e2745301953e168a02ecf4d6d3d4

Analysis

max time kernel
132s
max time network
103s
platform
windows7_x64
resource
win7v20210408
submitted
14-06-2021 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift_Payment.MT103.docx
Size

10KB
MD5

92614cfd1b385cc6e38156a4ce269602
SHA1

b32113fc539912f706e55fefe7a91bb903e4d719
SHA256

65a0e831a9a7680b0440a3afbfa71e6ddef2e2745301953e168a02ecf4d6d3d4
SHA512

eabf4df35bcbc0fdff14ae447690434d88653586038075c50aa1f09d6f1fb34e0df1486487e9a9abc1a5275eac6cee82a92f55deba37a5fe63493bba0a9f11dd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

12 1480 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

548 vbc.exe
1996 vbc.exe
1932 vbc.exe
916 vbc.exe
1320 vbc.exe
948 vbc.exe

flow	pid	process
12	1480	EQNEDT32.EXE

pid	process
548	vbc.exe
1996	vbc.exe
1932	vbc.exe
916	vbc.exe
1320	vbc.exe
948	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://xy2.eu/e9yp	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1480 EQNEDT32.EXE
1480 EQNEDT32.EXE
1480 EQNEDT32.EXE
1480 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1480 EQNEDT32.EXE

pid	process
1480	EQNEDT32.EXE
1480	EQNEDT32.EXE
1480	EQNEDT32.EXE
1480	EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1480	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

684 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
548 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEvbc.exe

description pid process

Token: SeShutdownPrivilege 684 WINWORD.EXE
Token: SeDebugPrivilege 548 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

684 WINWORD.EXE
684 WINWORD.EXE

pid	process
684	WINWORD.EXE

pid	process
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe
548	vbc.exe

description	pid	process
Token: SeShutdownPrivilege	684	WINWORD.EXE
Token: SeDebugPrivilege	548	vbc.exe

pid	process
684	WINWORD.EXE
684	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1480 wrote to memory of 548	1480	EQNEDT32.EXE	vbc.exe
PID 1480 wrote to memory of 548	1480	EQNEDT32.EXE	vbc.exe
PID 1480 wrote to memory of 548	1480	EQNEDT32.EXE	vbc.exe
PID 1480 wrote to memory of 548	1480	EQNEDT32.EXE	vbc.exe
PID 684 wrote to memory of 1544	684	WINWORD.EXE	splwow64.exe
PID 684 wrote to memory of 1544	684	WINWORD.EXE	splwow64.exe
PID 684 wrote to memory of 1544	684	WINWORD.EXE	splwow64.exe
PID 684 wrote to memory of 1544	684	WINWORD.EXE	splwow64.exe
PID 548 wrote to memory of 1996	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1996	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1996	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1996	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1932	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1932	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1932	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1932	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 916	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 916	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 916	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 916	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1320	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1320	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1320	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 1320	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 948	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 948	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 948	548	vbc.exe	vbc.exe
PID 548 wrote to memory of 948	548	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift_Payment.MT103.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1544

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1996

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1932

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:916

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1320

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
C:\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
\Users\Public\vbc.exe
MD5
b9032e2b7b07123f625f5d9e6e4f4796

SHA1
a06bcdf6aab7fb82dad340465035549cd853e047

SHA256
120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c

SHA512
a53309359e78dae4acef870b5c93040e1a851a97a7e6b9a9776ebfd80ca6f097e88cb20b2ac9a3bac7211562efbe552475556209c9372d03a0e1a8555fe211b6

Download Submit
memory/548-79-0x0000000001FC0000-0x0000000002009000-memory.dmp

Filesize
292KB

Download
memory/548-75-0x0000000000710000-0x000000000072E000-memory.dmp

Filesize
120KB

Download
memory/548-76-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/548-78-0x0000000004C70000-0x0000000004CFE000-memory.dmp

Filesize
568KB

Download
memory/548-71-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/548-68-0x0000000000000000-mapping.dmp

Download
memory/684-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/684-60-0x00000000724F1000-0x00000000724F4000-memory.dmp

Filesize
12KB

Download
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/684-61-0x000000006FF71000-0x000000006FF73000-memory.dmp

Filesize
8KB

Download
memory/1480-63-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1544-73-0x0000000000000000-mapping.dmp

Download
memory/1544-74-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download