Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
23-10-2021 07:48
Static task
static1
Behavioral task
behavioral1
Sample
24352a3a.docx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
24352a3a.docx
Resource
win10-en-20210920
General
-
Target
24352a3a.docx
-
Size
10KB
-
MD5
41d36ccc9c5225adf6be4bfff6747788
-
SHA1
ca688ea823b17b517ba815a6e18efe431747cc95
-
SHA256
24352a3a3322b6766dde282ac9b416d7ad614509a22c6dd43b3e68a96e35120b
-
SHA512
1cde26e8e43d9cfef7e902c1cd397057f0b4049835618c94b9e49a1263d5408491a2361a7e3e1be75c0ca84ba8c10f0abe3a9cab032c156635d491112ea554cd
Malware Config
Signatures
-
Detect Neshta Payload 9 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta behavioral1/memory/1648-75-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/1648-77-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\KC94CCU5\VBC_1_~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 12 1948 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1308 vbc.exe 1016 vbc.exe 1648 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Common\Offline\Files\https://urlchill.com/sc9YD WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Loads dropped DLL 11 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeWerFault.exepid process 1948 EQNEDT32.EXE 1948 EQNEDT32.EXE 1948 EQNEDT32.EXE 1948 EQNEDT32.EXE 1308 vbc.exe 1016 vbc.exe 1016 vbc.exe 932 WerFault.exe 932 WerFault.exe 932 WerFault.exe 1308 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
vbc.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 932 1648 WerFault.exe vbc.exe -
NSIS installer 23 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\KC94CCU5\VBC_1_~1.EXE nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEvbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1720 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 932 WerFault.exe 932 WerFault.exe 932 WerFault.exe 932 WerFault.exe 932 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 932 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 932 WerFault.exe Token: SeShutdownPrivilege 1720 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1720 WINWORD.EXE 1720 WINWORD.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeWINWORD.EXEvbc.exedescription pid process target process PID 1948 wrote to memory of 1308 1948 EQNEDT32.EXE vbc.exe PID 1948 wrote to memory of 1308 1948 EQNEDT32.EXE vbc.exe PID 1948 wrote to memory of 1308 1948 EQNEDT32.EXE vbc.exe PID 1948 wrote to memory of 1308 1948 EQNEDT32.EXE vbc.exe PID 1308 wrote to memory of 1016 1308 vbc.exe vbc.exe PID 1308 wrote to memory of 1016 1308 vbc.exe vbc.exe PID 1308 wrote to memory of 1016 1308 vbc.exe vbc.exe PID 1308 wrote to memory of 1016 1308 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1016 wrote to memory of 1648 1016 vbc.exe vbc.exe PID 1720 wrote to memory of 1252 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1252 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1252 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1252 1720 WINWORD.EXE splwow64.exe PID 1648 wrote to memory of 932 1648 vbc.exe WerFault.exe PID 1648 wrote to memory of 932 1648 vbc.exe WerFault.exe PID 1648 wrote to memory of 932 1648 vbc.exe WerFault.exe PID 1648 wrote to memory of 932 1648 vbc.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\24352a3a.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1252
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1485⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\KC94CCU5\VBC_1_~1.EXEMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
C:\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
C:\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c69c103775fd2576a6d99c419ce6fc1c
SHA1386fba9917be1e55feffb6f4dd1a8004f6c0bc2b
SHA2566e27bea9457c704e8b3331436c0853420264beb31d718839fa68206aa3fef08c
SHA51203531f640d6e766929cd7feba0e5dea4ccb12c941a3abca559b4dd740c3673a715073950d6d305e73e8fdddc28461cbc0021f163bcb88f4fdf2ce12aaa2bc1a3
-
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\msgnkmrsjrk.dllMD5
5c0e50a26194357d00c289fae4347d89
SHA13d3f275b783aacb6cc9b013f5164e29fd886c886
SHA256193e2821b11e9f82d683806fa56ce19d0a1efeb8edf430ce0922d77d7e52dcd0
SHA512468d3c0ec971716d1890cdbf6b9990fa254321e0ae6d43b38e88709af5851867f4b033258bacd73ed9637cfac5df7716d8350c353c8fa89a9c14f90670a61b75
-
\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
\Users\Public\vbc.exeMD5
846c48f81be036e4c12dfa55ae26b703
SHA1c7d363acb97d13a38aa8fc3b4325e24201b3fbeb
SHA256db2b9cca6b36ba5eda89175d38d43d4a1eda04871431c1cfe9141bd747576008
SHA5129a21dd4962b98b54a4503efe33167df7b0afeeca3354fa1ce9634c4d6f5a14aa79750e6edbdbeb8615bd658461483e39710158c3b7813bcdf1172de184be2ba0
-
memory/932-87-0x0000000000000000-mapping.dmp
-
memory/932-93-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1016-69-0x0000000000000000-mapping.dmp
-
memory/1252-80-0x0000000000000000-mapping.dmp
-
memory/1252-90-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1308-64-0x0000000000000000-mapping.dmp
-
memory/1648-75-0x0000000000000000-mapping.dmp
-
memory/1648-82-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1648-77-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1720-55-0x0000000072631000-0x0000000072634000-memory.dmpFilesize
12KB
-
memory/1720-58-0x00000000763C1000-0x00000000763C3000-memory.dmpFilesize
8KB
-
memory/1720-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1720-56-0x00000000700B1000-0x00000000700B3000-memory.dmpFilesize
8KB
-
memory/1720-96-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB