Analysis
-
max time kernel
141s -
max time network
177s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-06-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice.docx
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
proforma invoice.docx
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
proforma invoice.docx
-
Size
10KB
-
MD5
82f8c629f87ee2817431ee1caae6500c
-
SHA1
39ab645187be422bef46f84c50e8dde6e382383a
-
SHA256
1e5c7d755892b33d04097940dbc716232e7bde143119d25b282c532c242b5f7a
-
SHA512
638b4f924fac05dd81a7063cdef8bd71172ccb12223f64a746ab919d70613bc75c83c1fd861cee7f3402de1c6d8b9e77e8363d17bea904b5dcb13635e73edc43
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1484 EQNEDT32.EXE -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://0147.0205.0152.0220/....---------------------------------/...............................................wiz WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1724 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1724 WINWORD.EXE 1724 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1724 WINWORD.EXE 1724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1724 wrote to memory of 1804 1724 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 1804 1724 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 1804 1724 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 1804 1724 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\proforma invoice.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-63-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB
-
memory/1484-64-0x00000000043A0000-0x0000000004564000-memory.dmpFilesize
1.8MB
-
memory/1724-60-0x0000000072121000-0x0000000072124000-memory.dmpFilesize
12KB
-
memory/1724-61-0x000000006FBA1000-0x000000006FBA3000-memory.dmpFilesize
8KB
-
memory/1724-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1804-65-0x0000000000000000-mapping.dmp
-
memory/1804-66-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB