002e54405b1ce6dd9710be53d71e832fcffc92fb63fc8ef3a37d14e0867c4c10

Analysis

max time kernel
101s
max time network
66s
platform
windows7_x64
resource
win7v20210408
submitted
22-07-2021 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new order.xlsx
Size

1.3MB
MD5

d59accd992813d35bb00a4b3f84c4ffe
SHA1

851d437a71d1a156e0adb9f553611865b8c90d94
SHA256

002e54405b1ce6dd9710be53d71e832fcffc92fb63fc8ef3a37d14e0867c4c10
SHA512

7328ce416225e682b4b3f2c5c81427195144f3b030264d4a6dde967092b26165769bb87718843db8de6d56a6d1da3c8a2eb929f73b1c9720db3ca17a5fefad14

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1608 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1844 vbc.exe
1688 vbc.exe
1636 vbc.exe
952 vbc.exe
576 vbc.exe
2016 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1608 EQNEDT32.EXE
1608 EQNEDT32.EXE
1608 EQNEDT32.EXE
1608 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1608 EQNEDT32.EXE

flow	pid	process
4	1608	EQNEDT32.EXE

pid	process
1844	vbc.exe
1688	vbc.exe
1636	vbc.exe
952	vbc.exe
576	vbc.exe
2016	vbc.exe

pid	process
1608	EQNEDT32.EXE
1608	EQNEDT32.EXE
1608	EQNEDT32.EXE
1608	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1608	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
1844 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1844 vbc.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE

pid	process
332	EXCEL.EXE

pid	process
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe
1844	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1844	vbc.exe

pid	process
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1608 wrote to memory of 1844	1608	EQNEDT32.EXE	vbc.exe
PID 1608 wrote to memory of 1844	1608	EQNEDT32.EXE	vbc.exe
PID 1608 wrote to memory of 1844	1608	EQNEDT32.EXE	vbc.exe
PID 1608 wrote to memory of 1844	1608	EQNEDT32.EXE	vbc.exe
PID 1844 wrote to memory of 1688	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1688	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1688	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1688	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1636	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1636	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1636	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 1636	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 952	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 952	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 952	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 952	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 576	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 576	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 576	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 576	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 2016	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 2016	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 2016	1844	vbc.exe	vbc.exe
PID 1844 wrote to memory of 2016	1844	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\new order.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:332

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1688

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1636

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:952

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:576

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
C:\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
\Users\Public\vbc.exe
MD5
750919bd7e02e7821efa1b1bd0ed4eda

SHA1
2d925d1d04d12c72e4411d84b2c2b297d09f2c3c

SHA256
994f99037072fbea77a376832818fec2bdaf577a09b1936a7285e38ace5d8e4f

SHA512
087d25c798e2429b34b408ff0a315018a46feb833d5286ab87835b5b2e49fd7b3079facf5be7ce44ec5e5869f2390ab50066dfdaaae7f638c0f9d427b919162f

Download Submit
memory/332-75-0x0000000006BF8000-0x0000000006BF9000-memory.dmp

Filesize
4KB

Download
memory/332-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/332-59-0x000000002FD81000-0x000000002FD84000-memory.dmp

Filesize
12KB

Download
memory/332-76-0x0000000006BF2000-0x0000000006BF3000-memory.dmp

Filesize
4KB

Download
memory/332-77-0x0000000006BF3000-0x0000000006BF6000-memory.dmp

Filesize
12KB

Download
memory/332-74-0x0000000006BF0000-0x0000000006BF2000-memory.dmp

Filesize
8KB

Download
memory/332-79-0x0000000006E70000-0x0000000006E73000-memory.dmp

Filesize
12KB

Download
memory/332-78-0x0000000006BFA000-0x0000000006BFD000-memory.dmp

Filesize
12KB

Download
memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmp

Filesize
8KB

Download
memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1608-62-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1844-80-0x00000000004A0000-0x00000000004BB000-memory.dmp

Filesize
108KB

Download
memory/1844-70-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1844-67-0x0000000000000000-mapping.dmp

Download
memory/1844-82-0x0000000000950000-0x0000000000980000-memory.dmp

Filesize
192KB

Download
memory/1844-81-0x0000000004E40000-0x0000000004EB5000-memory.dmp

Filesize
468KB

Download
memory/1844-72-0x0000000006D40000-0x0000000006DEB000-memory.dmp

Filesize
684KB

Download
memory/1844-73-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download