Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-06-2021 09:50
Static task
static1
Behavioral task
behavioral1
Sample
INV2021-20800.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
INV2021-20800.docx
Resource
win10v20210408
General
-
Target
INV2021-20800.docx
-
Size
10KB
-
MD5
6c1c7232217cf3ac24711d9d5588126d
-
SHA1
03900482a118b894b2a5154dba552a543ccb7eb3
-
SHA256
040ce819e4f59dd7803e3c75da71048dd8fcf3b28f840889562fd55b6e3f74f2
-
SHA512
fb792cb769fb519529fa5029fbef1aef286ce30d9defaf698d4b5450965854b563e36e46b852f4a7df9f0fcc60ed4185b7b23c245dba0e7529ce57cf9dabf8e2
Malware Config
Extracted
formbook
4.1
http://www.rocketschool.net/nf2/
avlholisticdentalcare.com
coolermassmedia.com
anythingneverything.net
maimaixiu.club
veyconcorp.com
rplelectro.com
koch-mannes.club
tecknetpro.com
getresurface.net
mertzengin.com
nbppfanzgn.com
508hill.com
ourdailydelights.com
aimeesambayan.com
productstoredt.com
doublelblonghorns.com
lucidcurriculum.com
thegoddessnow.com
qywqmjku.icu
yonibymina.com
fair-employer.institute
loundxgroup.com
grandcanyonbean.com
gmailanalytics.tools
e-deers.tech
gxbokee.com
saimeisteel.com
walnutcreekresidences.com
catalinaislandlodging.com
financassexy.com
wtuydga.icu
agrestorationil.com
guidenconsultants.com
annazon-pc.xyz
trinamorris.com
dealwiththeboss.com
touchedbyastar.com
myenduringlegacy.com
livegirlroom.com
managainstthegrain.com
wikige.com
muyiyang233.com
dopegraphicz.com
varietyarena.com
henohenomohej.com
wx323.com
k1ck1td0wn.com
fundsvalley.com
ebike-ny.com
xn--yedekparaclar-pgb62i.com
vidssea.com
wifiultraboostavis.com
exploitconstruction.com
freddeveld.com
kslux.com
couplealamo.icu
touchwood-card.com
k8vina51.com
thrivwnt.com
earlybirdwormfarm.com
hayyaabaya.com
holidayhomeinfrance.com
ssalmeria.com
nivxros.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1336-80-0x000000000041EB30-mapping.dmp formbook behavioral1/memory/1336-79-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2004-90-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 1184 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1516 vbc.exe 1336 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://itsssl.com/jBbhJ WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1184 EQNEDT32.EXE 1184 EQNEDT32.EXE 1184 EQNEDT32.EXE 1184 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmstp.exedescription pid process target process PID 1516 set thread context of 1336 1516 vbc.exe vbc.exe PID 1336 set thread context of 1288 1336 vbc.exe Explorer.EXE PID 2004 set thread context of 1288 2004 cmstp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 772 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
vbc.exevbc.execmstp.exepid process 1516 vbc.exe 1336 vbc.exe 1336 vbc.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe 2004 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmstp.exepid process 1336 vbc.exe 1336 vbc.exe 1336 vbc.exe 2004 cmstp.exe 2004 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vbc.exevbc.execmstp.exeWINWORD.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1516 vbc.exe Token: SeDebugPrivilege 1336 vbc.exe Token: SeDebugPrivilege 2004 cmstp.exe Token: SeShutdownPrivilege 772 WINWORD.EXE Token: SeShutdownPrivilege 1288 Explorer.EXE Token: SeShutdownPrivilege 1288 Explorer.EXE Token: SeShutdownPrivilege 1288 Explorer.EXE Token: SeShutdownPrivilege 1288 Explorer.EXE Token: SeShutdownPrivilege 1288 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 772 WINWORD.EXE 772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcmstp.exedescription pid process target process PID 1184 wrote to memory of 1516 1184 EQNEDT32.EXE vbc.exe PID 1184 wrote to memory of 1516 1184 EQNEDT32.EXE vbc.exe PID 1184 wrote to memory of 1516 1184 EQNEDT32.EXE vbc.exe PID 1184 wrote to memory of 1516 1184 EQNEDT32.EXE vbc.exe PID 772 wrote to memory of 1608 772 WINWORD.EXE splwow64.exe PID 772 wrote to memory of 1608 772 WINWORD.EXE splwow64.exe PID 772 wrote to memory of 1608 772 WINWORD.EXE splwow64.exe PID 772 wrote to memory of 1608 772 WINWORD.EXE splwow64.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1516 wrote to memory of 1336 1516 vbc.exe vbc.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 1288 wrote to memory of 2004 1288 Explorer.EXE cmstp.exe PID 2004 wrote to memory of 548 2004 cmstp.exe cmd.exe PID 2004 wrote to memory of 548 2004 cmstp.exe cmd.exe PID 2004 wrote to memory of 548 2004 cmstp.exe cmd.exe PID 2004 wrote to memory of 548 2004 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV2021-20800.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
C:\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
C:\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
\Users\Public\vbc.exeMD5
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1be235c4800548dddf216d72b5c3e22024f6be642
SHA2566fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA512007b33891749560daa3102b5aae00b0dacb8dd2aa533d8ba991bc2dd0449907275fcd09364bfb069571fe44acae64b1f496593c488c365715021c385a834677e
-
memory/548-88-0x0000000000000000-mapping.dmp
-
memory/772-60-0x0000000072C81000-0x0000000072C84000-memory.dmpFilesize
12KB
-
memory/772-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/772-61-0x0000000070701000-0x0000000070703000-memory.dmpFilesize
8KB
-
memory/772-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1184-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1288-94-0x00000000064A0000-0x00000000065AB000-memory.dmpFilesize
1.0MB
-
memory/1288-85-0x0000000005F60000-0x0000000006088000-memory.dmpFilesize
1.2MB
-
memory/1336-84-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1336-83-0x0000000000A30000-0x0000000000D33000-memory.dmpFilesize
3.0MB
-
memory/1336-79-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1336-80-0x000000000041EB30-mapping.dmp
-
memory/1516-77-0x00000000056C0000-0x0000000005738000-memory.dmpFilesize
480KB
-
memory/1516-78-0x00000000008C0000-0x00000000008FD000-memory.dmpFilesize
244KB
-
memory/1516-76-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB
-
memory/1516-75-0x0000000004330000-0x0000000004331000-memory.dmpFilesize
4KB
-
memory/1516-71-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1516-68-0x0000000000000000-mapping.dmp
-
memory/1608-74-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1608-73-0x0000000000000000-mapping.dmp
-
memory/2004-86-0x0000000000000000-mapping.dmp
-
memory/2004-90-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/2004-91-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/2004-89-0x0000000000E00000-0x0000000000E18000-memory.dmpFilesize
96KB
-
memory/2004-92-0x0000000000910000-0x00000000009A3000-memory.dmpFilesize
588KB