Analysis
-
max time kernel
100s -
max time network
45s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-08-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment Advice.xlsx
Resource
win10v20210410
General
-
Target
Payment Advice.xlsx
-
Size
1.2MB
-
MD5
5b73fe85493ab5de9f1fca6386854f66
-
SHA1
c4ab5b4c915cba9eda255be8a88702aad1aeec81
-
SHA256
04fe8deb7fcd8197c15970a7bd846c6e12c9108aad2464570fd4342b64190e41
-
SHA512
34c02b023f17d9c739e12f6c0ee1c33633f528a87c5ede4e9a65e6ab9487d0a4af3d5f1a4ba5366ef2282423832d150cb31547466d08f1f6d869b3627fce33f3
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 656 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 532 vbc.exe 944 vbc.exe 1956 vbc.exe 792 vbc.exe 1080 vbc.exe 552 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 656 EQNEDT32.EXE 656 EQNEDT32.EXE 656 EQNEDT32.EXE 656 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1644 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exepid process 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe 532 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 532 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1644 EXCEL.EXE 1644 EXCEL.EXE 1644 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 656 wrote to memory of 532 656 EQNEDT32.EXE vbc.exe PID 656 wrote to memory of 532 656 EQNEDT32.EXE vbc.exe PID 656 wrote to memory of 532 656 EQNEDT32.EXE vbc.exe PID 656 wrote to memory of 532 656 EQNEDT32.EXE vbc.exe PID 532 wrote to memory of 944 532 vbc.exe vbc.exe PID 532 wrote to memory of 944 532 vbc.exe vbc.exe PID 532 wrote to memory of 944 532 vbc.exe vbc.exe PID 532 wrote to memory of 944 532 vbc.exe vbc.exe PID 532 wrote to memory of 1956 532 vbc.exe vbc.exe PID 532 wrote to memory of 1956 532 vbc.exe vbc.exe PID 532 wrote to memory of 1956 532 vbc.exe vbc.exe PID 532 wrote to memory of 1956 532 vbc.exe vbc.exe PID 532 wrote to memory of 792 532 vbc.exe vbc.exe PID 532 wrote to memory of 792 532 vbc.exe vbc.exe PID 532 wrote to memory of 792 532 vbc.exe vbc.exe PID 532 wrote to memory of 792 532 vbc.exe vbc.exe PID 532 wrote to memory of 1080 532 vbc.exe vbc.exe PID 532 wrote to memory of 1080 532 vbc.exe vbc.exe PID 532 wrote to memory of 1080 532 vbc.exe vbc.exe PID 532 wrote to memory of 1080 532 vbc.exe vbc.exe PID 532 wrote to memory of 552 532 vbc.exe vbc.exe PID 532 wrote to memory of 552 532 vbc.exe vbc.exe PID 532 wrote to memory of 552 532 vbc.exe vbc.exe PID 532 wrote to memory of 552 532 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
C:\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
\Users\Public\vbc.exeMD5
c700731279dc3294e76a17a6f0269044
SHA1354388e78fd21b7858772121ed7e24b6ac83b426
SHA2564009f28116301020e1400a3840fd19700e544322564d62b03101c8b01c0bc8a3
SHA5127cc6b825bb1bcf99376e9938945cb4bba8746005fa78e4c10bf21c9e019eefccc3084a3a46b467a7a434eb6af55e6baa1e21b825616c096effdc3d479d735ef1
-
memory/532-73-0x0000000004930000-0x00000000049B4000-memory.dmpFilesize
528KB
-
memory/532-68-0x0000000000000000-mapping.dmp
-
memory/532-74-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/532-75-0x00000000003B0000-0x00000000003C1000-memory.dmpFilesize
68KB
-
memory/532-71-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/532-80-0x0000000000710000-0x000000000072C000-memory.dmpFilesize
112KB
-
memory/532-79-0x000000000A430000-0x000000000A4B8000-memory.dmpFilesize
544KB
-
memory/656-63-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1644-78-0x0000000006030000-0x0000000006C7A000-memory.dmpFilesize
12.3MB
-
memory/1644-77-0x0000000006030000-0x0000000006C7A000-memory.dmpFilesize
12.3MB
-
memory/1644-76-0x0000000006030000-0x0000000006C7A000-memory.dmpFilesize
12.3MB
-
memory/1644-60-0x000000002F561000-0x000000002F564000-memory.dmpFilesize
12KB
-
memory/1644-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1644-61-0x0000000070D71000-0x0000000070D73000-memory.dmpFilesize
8KB
-
memory/1644-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB