Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-06-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
INV2021-20800.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
INV2021-20800.docx
Resource
win10v20210408
General
-
Target
INV2021-20800.docx
-
Size
10KB
-
MD5
c8c485325d6cc53942722aa48c280d4f
-
SHA1
61b8fd6e92c390481e4a2386e87bc9437896af53
-
SHA256
7912137590e4d0a4bcd3fdb006b37ba59aad20e6c27db10618f165870f817128
-
SHA512
d68f8ce4ed8e7133451a5bd55b5283129f671d38076382284332a4928f8ca58935410bf0fa09ce8ad7c7ba681add0445747f9056a0e0efb438b90f83ab826e9c
Malware Config
Extracted
formbook
4.1
http://www.rocketschool.net/nf2/
avlholisticdentalcare.com
coolermassmedia.com
anythingneverything.net
maimaixiu.club
veyconcorp.com
rplelectro.com
koch-mannes.club
tecknetpro.com
getresurface.net
mertzengin.com
nbppfanzgn.com
508hill.com
ourdailydelights.com
aimeesambayan.com
productstoredt.com
doublelblonghorns.com
lucidcurriculum.com
thegoddessnow.com
qywqmjku.icu
yonibymina.com
fair-employer.institute
loundxgroup.com
grandcanyonbean.com
gmailanalytics.tools
e-deers.tech
gxbokee.com
saimeisteel.com
walnutcreekresidences.com
catalinaislandlodging.com
financassexy.com
wtuydga.icu
agrestorationil.com
guidenconsultants.com
annazon-pc.xyz
trinamorris.com
dealwiththeboss.com
touchedbyastar.com
myenduringlegacy.com
livegirlroom.com
managainstthegrain.com
wikige.com
muyiyang233.com
dopegraphicz.com
varietyarena.com
henohenomohej.com
wx323.com
k1ck1td0wn.com
fundsvalley.com
ebike-ny.com
xn--yedekparaclar-pgb62i.com
vidssea.com
wifiultraboostavis.com
exploitconstruction.com
freddeveld.com
kslux.com
couplealamo.icu
touchwood-card.com
k8vina51.com
thrivwnt.com
earlybirdwormfarm.com
hayyaabaya.com
holidayhomeinfrance.com
ssalmeria.com
nivxros.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/760-78-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/760-79-0x000000000041EB30-mapping.dmp formbook behavioral1/memory/1816-88-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 14 512 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 960 vbc.exe 760 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://itsssl.com/TyPzK WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 512 EQNEDT32.EXE 512 EQNEDT32.EXE 512 EQNEDT32.EXE 512 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process target process PID 960 set thread context of 760 960 vbc.exe vbc.exe PID 760 set thread context of 1208 760 vbc.exe Explorer.EXE PID 1816 set thread context of 1208 1816 wuapp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
vbc.exevbc.exewuapp.exepid process 960 vbc.exe 760 vbc.exe 760 vbc.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe 1816 wuapp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewuapp.exepid process 760 vbc.exe 760 vbc.exe 760 vbc.exe 1816 wuapp.exe 1816 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process Token: SeDebugPrivilege 960 vbc.exe Token: SeDebugPrivilege 760 vbc.exe Token: SeDebugPrivilege 1816 wuapp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEwuapp.exedescription pid process target process PID 512 wrote to memory of 960 512 EQNEDT32.EXE vbc.exe PID 512 wrote to memory of 960 512 EQNEDT32.EXE vbc.exe PID 512 wrote to memory of 960 512 EQNEDT32.EXE vbc.exe PID 512 wrote to memory of 960 512 EQNEDT32.EXE vbc.exe PID 1656 wrote to memory of 1388 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1388 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1388 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1388 1656 WINWORD.EXE splwow64.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 960 wrote to memory of 760 960 vbc.exe vbc.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1208 wrote to memory of 1816 1208 Explorer.EXE wuapp.exe PID 1816 wrote to memory of 1896 1816 wuapp.exe cmd.exe PID 1816 wrote to memory of 1896 1816 wuapp.exe cmd.exe PID 1816 wrote to memory of 1896 1816 wuapp.exe cmd.exe PID 1816 wrote to memory of 1896 1816 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV2021-20800.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
C:\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
C:\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
\Users\Public\vbc.exeMD5
9588836132b1ace19a32adee8fc385d2
SHA1fc31957fd4e9793f3164062ddfa39d62fa18e60e
SHA25605d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
SHA512c098a96d5424d46930c110077780110dba650e26ba2a70c3c2ea390afaf37b5633d2a89acbd27e6cfe128cee5a30f21a44614629f778ba47800dd49bd3f54513
-
memory/512-62-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/760-82-0x0000000000B80000-0x0000000000E83000-memory.dmpFilesize
3.0MB
-
memory/760-78-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/760-83-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/760-79-0x000000000041EB30-mapping.dmp
-
memory/960-74-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/960-67-0x0000000000000000-mapping.dmp
-
memory/960-75-0x0000000000200000-0x0000000000210000-memory.dmpFilesize
64KB
-
memory/960-76-0x00000000057A0000-0x0000000005820000-memory.dmpFilesize
512KB
-
memory/960-77-0x0000000000520000-0x0000000000564000-memory.dmpFilesize
272KB
-
memory/960-70-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/1208-84-0x0000000004D30000-0x0000000004E15000-memory.dmpFilesize
916KB
-
memory/1388-73-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/1388-72-0x0000000000000000-mapping.dmp
-
memory/1656-59-0x0000000072491000-0x0000000072494000-memory.dmpFilesize
12KB
-
memory/1656-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1656-60-0x000000006FF11000-0x000000006FF13000-memory.dmpFilesize
8KB
-
memory/1816-85-0x0000000000000000-mapping.dmp
-
memory/1816-88-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1816-89-0x0000000000A80000-0x0000000000D83000-memory.dmpFilesize
3.0MB
-
memory/1816-87-0x0000000000EF0000-0x0000000000EFB000-memory.dmpFilesize
44KB
-
memory/1816-90-0x0000000000910000-0x00000000009A3000-memory.dmpFilesize
588KB
-
memory/1896-86-0x0000000000000000-mapping.dmp