Analysis
-
max time kernel
149s -
max time network
178s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-06-2021 06:16
Static task
static1
Behavioral task
behavioral1
Sample
Reliance Trading Pvt. Ltd. List.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Reliance Trading Pvt. Ltd. List.docx
Resource
win10v20210408
General
-
Target
Reliance Trading Pvt. Ltd. List.docx
-
Size
10KB
-
MD5
8312b5bab2f19b01e2a1a12744a7464e
-
SHA1
076df8e460f965cd7b30fb07cdd06e90654417ec
-
SHA256
2bb1e6d0bcc6af940f0835a269b1ad99f8420207ba2f87c6f789219f8186559f
-
SHA512
5236b8461c9bb6af273c85f26905552a06977a1d58f2ff104f416bae996d3838b4ca76b037716aeb39936de0c79854e88c58cca5c17362e9836ccd097879e5f1
Malware Config
Extracted
formbook
4.1
http://www.mpaiji.com/c244/
ssgasija.com
procyoon.com
mood-street-food.com
yeglifeview.com
baoyai.com
sundarsheni.com
notoli.photography
sweetape.com
ergas.group
asyrill.com
jin188v.com
stlazarushospitalnola.com
dohertyfamily5.com
duniaclubs.club
ngobryles.com
scottsavocasalon.com
unifiui.com
baileyfred.com
nabiagency.com
alyssaternanphotography.com
whitehome-re.com
nitaraine.com
rklogtransportes.com
closetcouturenc.com
day.gallery
suxfi.com
mittikasaman.com
livesupgrade.com
hasbiadam.com
masdelafont-mauguio.com
topadofa.com
humanimmunogenomics.com
exit-blog.com
andersonsignandbannerco.com
ellasween.com
jmycjj.com
dhshk.com
peaceful-dolphin.com
flossydesigns.com
mrevivalkids.com
paintmehappywithcassandra.com
daishuaku.com
c2spot.com
odiaproduct.com
skillfultopshop.com
mentorbp.com
annualchecklist.com
jasaborongan.com
fasttrainheal.com
flatfootedhatting.com
brionreilly.com
ogcaterers.info
uuhlashwe.club
subsidy-kennwort.info
logisticmoversusa.com
houseofkabbalah.com
ahealingjournee.com
diemtinthitruong.com
naturallybossed.com
turksandcaicosdirect.com
hudsonvalleyfinearts.net
brocousa.com
getyourcostsdown.com
liveitupmusic.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1840-73-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1840-74-0x000000000041EB20-mapping.dmp formbook behavioral1/memory/972-76-0x0000000000220000-0x000000000024F000-memory.dmp formbook behavioral1/memory/960-85-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1288 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 972 vbc.exe 1840 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://198.12.91.160/--...........................................------..................--------/......................wiz WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1288 EQNEDT32.EXE 1288 EQNEDT32.EXE 1288 EQNEDT32.EXE 1288 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeraserver.exedescription pid process target process PID 972 set thread context of 1840 972 vbc.exe vbc.exe PID 1840 set thread context of 1212 1840 vbc.exe Explorer.EXE PID 960 set thread context of 1212 960 raserver.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1120 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
vbc.exeraserver.exepid process 1840 vbc.exe 1840 vbc.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe 960 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeraserver.exepid process 1840 vbc.exe 1840 vbc.exe 1840 vbc.exe 960 raserver.exe 960 raserver.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
vbc.exeExplorer.EXEraserver.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1840 vbc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 960 raserver.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1120 WINWORD.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1120 WINWORD.EXE 1120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEraserver.exedescription pid process target process PID 1288 wrote to memory of 972 1288 EQNEDT32.EXE vbc.exe PID 1288 wrote to memory of 972 1288 EQNEDT32.EXE vbc.exe PID 1288 wrote to memory of 972 1288 EQNEDT32.EXE vbc.exe PID 1288 wrote to memory of 972 1288 EQNEDT32.EXE vbc.exe PID 1120 wrote to memory of 1080 1120 WINWORD.EXE splwow64.exe PID 1120 wrote to memory of 1080 1120 WINWORD.EXE splwow64.exe PID 1120 wrote to memory of 1080 1120 WINWORD.EXE splwow64.exe PID 1120 wrote to memory of 1080 1120 WINWORD.EXE splwow64.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 972 wrote to memory of 1840 972 vbc.exe vbc.exe PID 1212 wrote to memory of 960 1212 Explorer.EXE raserver.exe PID 1212 wrote to memory of 960 1212 Explorer.EXE raserver.exe PID 1212 wrote to memory of 960 1212 Explorer.EXE raserver.exe PID 1212 wrote to memory of 960 1212 Explorer.EXE raserver.exe PID 960 wrote to memory of 1576 960 raserver.exe cmd.exe PID 960 wrote to memory of 1576 960 raserver.exe cmd.exe PID 960 wrote to memory of 1576 960 raserver.exe cmd.exe PID 960 wrote to memory of 1576 960 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Reliance Trading Pvt. Ltd. List.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
C:\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
C:\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
\Users\Public\vbc.exeMD5
f17e854a03ef48b2b2581e329b233510
SHA116a8526ccfa4f87fcd51706406cc31f56af11572
SHA256a39bf71ad924d013133a402cea33e33c57a0fd202dcee7f411a4149535f7e969
SHA512b4adadf98104ea8ccdadca57b83836618a591b93fbd71f29e96ccf04f9af04d2e8ebfa585b661f9df75435ed708825ddb5c8d29226f1bdfe931e9442583aa888
-
memory/960-86-0x0000000001ED0000-0x00000000021D3000-memory.dmpFilesize
3.0MB
-
memory/960-85-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/960-81-0x0000000000000000-mapping.dmp
-
memory/960-84-0x00000000003E0000-0x00000000003FC000-memory.dmpFilesize
112KB
-
memory/960-87-0x0000000000920000-0x00000000009B3000-memory.dmpFilesize
588KB
-
memory/972-76-0x0000000000220000-0x000000000024F000-memory.dmpFilesize
188KB
-
memory/972-68-0x0000000000000000-mapping.dmp
-
memory/1080-71-0x000007FEFB681000-0x000007FEFB683000-memory.dmpFilesize
8KB
-
memory/1080-70-0x0000000000000000-mapping.dmp
-
memory/1120-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1120-61-0x000000006FC01000-0x000000006FC03000-memory.dmpFilesize
8KB
-
memory/1120-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1120-60-0x0000000072181000-0x0000000072184000-memory.dmpFilesize
12KB
-
memory/1212-88-0x0000000006E90000-0x0000000007007000-memory.dmpFilesize
1.5MB
-
memory/1212-80-0x0000000004500000-0x00000000045CA000-memory.dmpFilesize
808KB
-
memory/1288-63-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1576-83-0x0000000000000000-mapping.dmp
-
memory/1840-79-0x0000000000530000-0x0000000000544000-memory.dmpFilesize
80KB
-
memory/1840-78-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/1840-74-0x000000000041EB20-mapping.dmp
-
memory/1840-73-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB