Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-06-2021 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Finalised With Changes.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Finalised With Changes.docx
Resource
win10v20210408
General
-
Target
Finalised With Changes.docx
-
Size
10KB
-
MD5
6c09cfa2a148680caa675b37cc908d92
-
SHA1
e56e4c7405c2debb2f8e4f572e5ac50bb5999f3b
-
SHA256
012cca592dca94980a85020ffbddc96dd1bafc547d577d58f853d39e3c20d125
-
SHA512
cd8af3833888cb612d902716afc27aecbb6cc97c9cee0ae6eae18bda78571e573c90a77bd22524022fc851166b0cbb7015971c9f17d4dcd6c7047559625060b9
Malware Config
Extracted
xloader
2.3
http://www.etnttcil.com/usur/
purpopup.com
mrswarrenspodcast.com
blinbins.com
parahomeoffice.com
20next.com
quiala.com
newccosecurity.net
throughthehagstone.com
hnxslawfirm.com
sztoium.icu
fullembodiedwoman.com
sankara-yoga.com
foottrafficcollective.com
acruxvacations.com
jadeena.com
neurotypicalspouse.com
onlyinwallkill.com
laurenkilbane.com
thebendavonte.com
regencydevelopmentstoronto.com
txkjsf.com
plasticmouldtools.com
trumphatersfortrump.com
nflkidz.com
reversemortgageloansmiami.com
thestockforums.com
hairessentialtips.com
rockwoodregent.com
flymonsters.com
harmonizedoffices.net
legacythemusic.com
dogsplaypalace.com
thescentedlifeco.com
alqzd.life
pandemiccraftee.com
tapoutclan.com
uoulogarinknowa.com
exploregodchurch.com
greenlinebg.com
lancheraiz.com
easonmarketingllc.com
titlecollective.net
wwwssphealth.com
towardsqa.com
sumarealcon.com
y-signs.com
wonderland.one
massapequapublicschools.com
costadelmarmexicangrill.com
frogtarget.net
lowendtherapy.com
empservicesfl.com
sumbadriftresort.com
martijnvanderlinden.media
ponexmedia.com
steezx.com
designmaveriuk.com
oumeijs.com
thechroniclesanonymous.com
tigasaki.com
meteormates.com
renoaleworx.com
familie-repenning.com
assept.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1540-78-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1540-79-0x000000000041D020-mapping.dmp xloader behavioral1/memory/1300-90-0x0000000000090000-0x00000000000B8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 980 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 860 vbc.exe 1540 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://itsssl.com/uUWXb WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 980 EQNEDT32.EXE 980 EQNEDT32.EXE 980 EQNEDT32.EXE 980 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process target process PID 860 set thread context of 1540 860 vbc.exe vbc.exe PID 1540 set thread context of 1288 1540 vbc.exe Explorer.EXE PID 1540 set thread context of 1288 1540 vbc.exe Explorer.EXE PID 1300 set thread context of 1288 1300 wuapp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vbc.exewuapp.exepid process 1540 vbc.exe 1540 vbc.exe 1540 vbc.exe 1300 wuapp.exe 1300 wuapp.exe 1300 wuapp.exe 1300 wuapp.exe 1300 wuapp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exewuapp.exepid process 1540 vbc.exe 1540 vbc.exe 1540 vbc.exe 1540 vbc.exe 1300 wuapp.exe 1300 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exewuapp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1540 vbc.exe Token: SeDebugPrivilege 1300 wuapp.exe Token: SeShutdownPrivilege 1288 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1084 WINWORD.EXE 1084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exevbc.exewuapp.exedescription pid process target process PID 980 wrote to memory of 860 980 EQNEDT32.EXE vbc.exe PID 980 wrote to memory of 860 980 EQNEDT32.EXE vbc.exe PID 980 wrote to memory of 860 980 EQNEDT32.EXE vbc.exe PID 980 wrote to memory of 860 980 EQNEDT32.EXE vbc.exe PID 1084 wrote to memory of 1756 1084 WINWORD.EXE splwow64.exe PID 1084 wrote to memory of 1756 1084 WINWORD.EXE splwow64.exe PID 1084 wrote to memory of 1756 1084 WINWORD.EXE splwow64.exe PID 1084 wrote to memory of 1756 1084 WINWORD.EXE splwow64.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 860 wrote to memory of 1540 860 vbc.exe vbc.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1540 wrote to memory of 1300 1540 vbc.exe wuapp.exe PID 1300 wrote to memory of 916 1300 wuapp.exe cmd.exe PID 1300 wrote to memory of 916 1300 wuapp.exe cmd.exe PID 1300 wrote to memory of 916 1300 wuapp.exe cmd.exe PID 1300 wrote to memory of 916 1300 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Finalised With Changes.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
C:\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
C:\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
\Users\Public\vbc.exeMD5
8939dd2697f5145f6eb5e034614e7ecb
SHA1884be97f54895461ff2760887f239456d3bbcc30
SHA256d3bc3ef9f2871efe5ff6565e37a0dcfacf47e4625b34d7bbe69b178698a9a21a
SHA5126d1559bdd2a8417f3e5014e7e5febfc065bf7c994f70cfb22c17a8eaffe92d55826d5f277c49d1919d5e075a73c39476328c361e72819e739d2178f82020a873
-
memory/860-76-0x00000000050B0000-0x000000000512F000-memory.dmpFilesize
508KB
-
memory/860-75-0x0000000000590000-0x00000000005AB000-memory.dmpFilesize
108KB
-
memory/860-70-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/860-67-0x0000000000000000-mapping.dmp
-
memory/860-77-0x0000000002200000-0x0000000002237000-memory.dmpFilesize
220KB
-
memory/860-74-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/916-88-0x0000000000000000-mapping.dmp
-
memory/980-62-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1084-60-0x0000000070321000-0x0000000070323000-memory.dmpFilesize
8KB
-
memory/1084-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1084-59-0x00000000728A1000-0x00000000728A4000-memory.dmpFilesize
12KB
-
memory/1288-86-0x0000000007380000-0x00000000074E3000-memory.dmpFilesize
1.4MB
-
memory/1288-84-0x0000000004FF0000-0x0000000005131000-memory.dmpFilesize
1.3MB
-
memory/1300-92-0x0000000000A10000-0x0000000000A9F000-memory.dmpFilesize
572KB
-
memory/1300-89-0x0000000000EA0000-0x0000000000EAB000-memory.dmpFilesize
44KB
-
memory/1300-91-0x0000000000B70000-0x0000000000E73000-memory.dmpFilesize
3.0MB
-
memory/1300-90-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1300-87-0x0000000000000000-mapping.dmp
-
memory/1540-85-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/1540-83-0x00000000000B0000-0x00000000000C0000-memory.dmpFilesize
64KB
-
memory/1540-82-0x0000000000AC0000-0x0000000000DC3000-memory.dmpFilesize
3.0MB
-
memory/1540-79-0x000000000041D020-mapping.dmp
-
memory/1540-78-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1756-72-0x0000000000000000-mapping.dmp
-
memory/1756-73-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB