Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
neworder.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
neworder.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
neworder.xlsx
-
Size
70KB
-
MD5
d9f48130841dc73037b0f62f746541fc
-
SHA1
c0a72723ecaa8946b20e83b351103e4d3736f818
-
SHA256
a18777061d67e2f6d34ff05d90d39171058c0c4a609c8cb2fbc86cf13c730740
-
SHA512
8ae9a035928b991027195950fe2d38d1200d7728fbbd900a40a37161171bb54b577a9a191396ec255d3048a94d9c689c14f7773d85df2d5883a6febc6fe1c294
Malware Config
Extracted
xloader
2.6
vweq
malang-media.com
mrsfence.com
lubetops.com
aitimedia.net
montecryptocapital.com
ahwmedia.com
bvmnc.site
bggearstore.com
bcsantacoloma.online
alltimephotography.com
santacruz-roofings.com
leaplifestyleenterprises.com
censovet.com
similkameenfarms.com
undisclosed.email
thetrinityco.com
rapiturs.com
jedlersdorf.info
mh7jk12e.xyz
flygurlblogwordpress.com
goodbaddesign.com
equipmentrentalpartyplus.com
ohyoutube.com
projetoarvore.com
2379.flights
implemedescribed.com
kreasinesia.com
ownitoffice.com
fortekofteacizyemeknerde.store
my-wh-webproject.com
518499.com
naples-us.com
tlrohio.com
kanchava.com
lcloudfindin.com
cybermatrix.tech
i6lqi.xyz
ebay-online-selling-24.com
afrisectelecoms.com
tiantian997.xyz
strategyvenues.com
marketnear.watch
thebrooklynyogi.com
sonikbuilder.online
voyagesconsulting.com
ledgel0ungers.com
youhadtobethere.biz
disabled-long.com
dental-implants-encounter.life
zydssq.com
livingwell.green
doumao334.xyz
moodysoot.online
licos.xyz
maqitashop.com
doroos.online
laikemiao.com
petrolverse.xyz
apostolicpraise.net
todaychance.com
helightville.com
st-john-fisher-school.com
agwly.com
dashop.pro
zxc3426.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-84-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1524-85-0x000000000041F280-mapping.dmp xloader behavioral1/memory/1524-87-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1524-95-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1732-98-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 20 832 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1008 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpid process 832 EQNEDT32.EXE 832 EQNEDT32.EXE 832 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.execvtres.execontrol.exedescription pid process target process PID 1008 set thread context of 1524 1008 vbc.exe cvtres.exe PID 1524 set thread context of 1200 1524 cvtres.exe Explorer.EXE PID 1524 set thread context of 1200 1524 cvtres.exe Explorer.EXE PID 1732 set thread context of 1200 1732 control.exe Explorer.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2036 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
cvtres.execontrol.exepid process 1524 cvtres.exe 1524 cvtres.exe 1524 cvtres.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe 1732 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
cvtres.execontrol.exepid process 1524 cvtres.exe 1524 cvtres.exe 1524 cvtres.exe 1524 cvtres.exe 1732 control.exe 1732 control.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cvtres.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1524 cvtres.exe Token: SeDebugPrivilege 1732 control.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2036 EXCEL.EXE 2036 EXCEL.EXE 2036 EXCEL.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEdescription pid process target process PID 832 wrote to memory of 1008 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1008 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1008 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1008 832 EQNEDT32.EXE vbc.exe PID 1260 wrote to memory of 108 1260 WINWORD.EXE splwow64.exe PID 1260 wrote to memory of 108 1260 WINWORD.EXE splwow64.exe PID 1260 wrote to memory of 108 1260 WINWORD.EXE splwow64.exe PID 1260 wrote to memory of 108 1260 WINWORD.EXE splwow64.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1008 wrote to memory of 1524 1008 vbc.exe cvtres.exe PID 1200 wrote to memory of 1732 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1732 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1732 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1732 1200 Explorer.EXE control.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\neworder.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5fc887f7c5ef1eeae3fb3ba651f77ac36
SHA16fd07a59ef6c724a6e6b926e7c235f1a8f396936
SHA2565f98609231b96fc1ecfeff757089f66d6a74bbe8fed6b33d83a799790484aa56
SHA512e4071eec9b1c4b5c2b6cc779bdd0ff4ee71a0a2a05675aee3fbf0749c07b412afe51d25d11cdacca0702c5c96c39047e637beba4e8ecf68644964a06751758a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD5bc72656509f34432e94486074a3dd444
SHA1341af0deafd8d4ef58dc823d35587f04cd770239
SHA2567319a0e2b857db728a8360b7916294fa11f05b37b432627e62fbf03c1517914a
SHA5128c98b312272464a65e007cfd87fea514bbe4c8b42e6d124b71269d1a66f1c2b0931a800f9fd4b5c10c2f401862cc7551d5738085e6985e4a1117f1c066ff4d7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54b483cc4fd33225632812cd2c3fa8b2e
SHA1afb23c5499698b83c5aeb0943adb925d4732cbfa
SHA2569131f51872ec3197c89ef8d0be6e3110bf9cb0b87f423c03401d050cc81a1ed7
SHA512f030a699fabbcbd1760dea2be76cd271ff9c75ff97cbad3c3994e051a3413d3df6b27fe37572c879459db59c690b1ab4d0aa2106f957b6132c716fd7e868627f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CSMPMU9R\8[1].docFilesize
23KB
MD5c58e805abdf712bf2c46c94d6be98369
SHA176a8263d4e8945b3f89afa9755b673fd4b335e7d
SHA256c1bc5133c97561f8eb1cc1f858b2536105292636d0fbd4ff8eade252f7bbc39d
SHA512d073a79d7f83c20f52071202deb66d6c7eb79086bd991dec058ddb0db05e447d0390912899383c69ce4f09a4215da340dae0be39a9a1c66675142139f18acd7e
-
C:\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
C:\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
memory/108-79-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB
-
memory/108-76-0x0000000000000000-mapping.dmp
-
memory/1008-78-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1008-73-0x0000000000000000-mapping.dmp
-
memory/1008-77-0x0000000000C10000-0x0000000000C72000-memory.dmpFilesize
392KB
-
memory/1200-102-0x0000000009530000-0x00000000096BD000-memory.dmpFilesize
1.6MB
-
memory/1200-101-0x0000000009530000-0x00000000096BD000-memory.dmpFilesize
1.6MB
-
memory/1200-93-0x0000000007870000-0x00000000079C9000-memory.dmpFilesize
1.3MB
-
memory/1200-90-0x0000000006AA0000-0x0000000006BA9000-memory.dmpFilesize
1.0MB
-
memory/1260-80-0x000000007260D000-0x0000000072618000-memory.dmpFilesize
44KB
-
memory/1260-60-0x000000006B681000-0x000000006B684000-memory.dmpFilesize
12KB
-
memory/1260-64-0x000000007260D000-0x0000000072618000-memory.dmpFilesize
44KB
-
memory/1524-85-0x000000000041F280-mapping.dmp
-
memory/1524-88-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1524-81-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-82-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-84-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-95-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-87-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-92-0x00000000002E0000-0x00000000002F1000-memory.dmpFilesize
68KB
-
memory/1524-89-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/1732-98-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1732-97-0x0000000000710000-0x000000000072F000-memory.dmpFilesize
124KB
-
memory/1732-99-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1732-94-0x0000000000000000-mapping.dmp
-
memory/1732-100-0x0000000001CC0000-0x0000000001D50000-memory.dmpFilesize
576KB
-
memory/2036-54-0x000000002F681000-0x000000002F684000-memory.dmpFilesize
12KB
-
memory/2036-57-0x000000007260D000-0x0000000072618000-memory.dmpFilesize
44KB
-
memory/2036-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2036-55-0x0000000071621000-0x0000000071623000-memory.dmpFilesize
8KB
-
memory/2036-58-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/2036-59-0x000000007260D000-0x0000000072618000-memory.dmpFilesize
44KB