Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
neworder.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
neworder.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
decrypted.xlsx
-
Size
65KB
-
MD5
8f9618a7aa42db05bc62579df02745ef
-
SHA1
11b9c0f4a6597d9ff11c43dd3aa5f78ca8241540
-
SHA256
5f170dae688af1256a837d10fb1051d3de21691a8290cc943a1e54f93a53f746
-
SHA512
41e671151ede9c8dafcd0974aea97252ef7cf7c8d36d3129048cc8d6a32c90c45ab6b45b8988e75bc74cb341f5e25e5b9bf6874c49eb0959b8796c64b67107a6
Malware Config
Extracted
xloader
2.6
vweq
malang-media.com
mrsfence.com
lubetops.com
aitimedia.net
montecryptocapital.com
ahwmedia.com
bvmnc.site
bggearstore.com
bcsantacoloma.online
alltimephotography.com
santacruz-roofings.com
leaplifestyleenterprises.com
censovet.com
similkameenfarms.com
undisclosed.email
thetrinityco.com
rapiturs.com
jedlersdorf.info
mh7jk12e.xyz
flygurlblogwordpress.com
goodbaddesign.com
equipmentrentalpartyplus.com
ohyoutube.com
projetoarvore.com
2379.flights
implemedescribed.com
kreasinesia.com
ownitoffice.com
fortekofteacizyemeknerde.store
my-wh-webproject.com
518499.com
naples-us.com
tlrohio.com
kanchava.com
lcloudfindin.com
cybermatrix.tech
i6lqi.xyz
ebay-online-selling-24.com
afrisectelecoms.com
tiantian997.xyz
strategyvenues.com
marketnear.watch
thebrooklynyogi.com
sonikbuilder.online
voyagesconsulting.com
ledgel0ungers.com
youhadtobethere.biz
disabled-long.com
dental-implants-encounter.life
zydssq.com
livingwell.green
doumao334.xyz
moodysoot.online
licos.xyz
maqitashop.com
doroos.online
laikemiao.com
petrolverse.xyz
apostolicpraise.net
todaychance.com
helightville.com
st-john-fisher-school.com
agwly.com
dashop.pro
zxc3426.xyz
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/1756-84-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral3/memory/1756-85-0x000000000041F280-mapping.dmp xloader behavioral3/memory/1756-87-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral3/memory/1756-95-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral3/memory/1424-97-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 23 1636 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 2040 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpid process 1636 EQNEDT32.EXE 1636 EQNEDT32.EXE 1636 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.execvtres.exechkdsk.exedescription pid process target process PID 2040 set thread context of 1756 2040 vbc.exe cvtres.exe PID 1756 set thread context of 1428 1756 cvtres.exe Explorer.EXE PID 1756 set thread context of 1428 1756 cvtres.exe Explorer.EXE PID 1424 set thread context of 1428 1424 chkdsk.exe Explorer.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEchkdsk.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1660 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
cvtres.exechkdsk.exepid process 1756 cvtres.exe 1756 cvtres.exe 1756 cvtres.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe 1424 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
cvtres.exechkdsk.exepid process 1756 cvtres.exe 1756 cvtres.exe 1756 cvtres.exe 1756 cvtres.exe 1424 chkdsk.exe 1424 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cvtres.exeExplorer.EXEchkdsk.exedescription pid process Token: SeDebugPrivilege 1756 cvtres.exe Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeDebugPrivilege 1424 chkdsk.exe Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeShutdownPrivilege 1428 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1660 EXCEL.EXE 1660 EXCEL.EXE 1660 EXCEL.EXE 432 WINWORD.EXE 432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEdescription pid process target process PID 1636 wrote to memory of 2040 1636 EQNEDT32.EXE vbc.exe PID 1636 wrote to memory of 2040 1636 EQNEDT32.EXE vbc.exe PID 1636 wrote to memory of 2040 1636 EQNEDT32.EXE vbc.exe PID 1636 wrote to memory of 2040 1636 EQNEDT32.EXE vbc.exe PID 432 wrote to memory of 1988 432 WINWORD.EXE splwow64.exe PID 432 wrote to memory of 1988 432 WINWORD.EXE splwow64.exe PID 432 wrote to memory of 1988 432 WINWORD.EXE splwow64.exe PID 432 wrote to memory of 1988 432 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 2040 wrote to memory of 1756 2040 vbc.exe cvtres.exe PID 1428 wrote to memory of 1424 1428 Explorer.EXE chkdsk.exe PID 1428 wrote to memory of 1424 1428 Explorer.EXE chkdsk.exe PID 1428 wrote to memory of 1424 1428 Explorer.EXE chkdsk.exe PID 1428 wrote to memory of 1424 1428 Explorer.EXE chkdsk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5fc887f7c5ef1eeae3fb3ba651f77ac36
SHA16fd07a59ef6c724a6e6b926e7c235f1a8f396936
SHA2565f98609231b96fc1ecfeff757089f66d6a74bbe8fed6b33d83a799790484aa56
SHA512e4071eec9b1c4b5c2b6cc779bdd0ff4ee71a0a2a05675aee3fbf0749c07b412afe51d25d11cdacca0702c5c96c39047e637beba4e8ecf68644964a06751758a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
408B
MD57cfbe852b8f94209f8f083d89b532760
SHA16504b15d33569649f872b163a084e5347e08f48f
SHA2564c621802bb7634a515e3955bc40156eb30519a3d7aa902636e6f07eee542a88a
SHA51261970bd88ca7730782f95ad5a75767da556291448e95a84af2a7666265b3de55401710c6de1e56cdb59440d1377654403a6d4f11c31faaee3b9197fa36bd67c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f62b5508fe2f0260316739a9a95a2758
SHA18036f6c653c267e45f279b165c8cd1285174cd30
SHA256b0a53e91c35190d13c42df3fb189259c120a837de06d412d497216919521a4d1
SHA512e25414de71531e80c93dd5fea53ea1328a717a1666eb383498d47dd26180e7b78ff112637799092b99e24564a526304b3fc38657f7bf3ebc38879aeaf6c78108
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGS3CERJ\8[1].docFilesize
23KB
MD5c58e805abdf712bf2c46c94d6be98369
SHA176a8263d4e8945b3f89afa9755b673fd4b335e7d
SHA256c1bc5133c97561f8eb1cc1f858b2536105292636d0fbd4ff8eade252f7bbc39d
SHA512d073a79d7f83c20f52071202deb66d6c7eb79086bd991dec058ddb0db05e447d0390912899383c69ce4f09a4215da340dae0be39a9a1c66675142139f18acd7e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6BVO42WS.txtFilesize
73B
MD528f35ddc06fafd3bfc6c96b2e64894e1
SHA13b850eea56109424fe0285438a6978e28f6a5619
SHA2567e7c7d64208c027e336767d7b6bfffa4ca9040f4b4721ea1eb30eeedde9e40a8
SHA512a31f7f711d18aeae14b86b73d0e90608316ed8a34417040c2324828de52ba54ccd5f98da5849f394052397396e1f0e0ccfbc817b770f86848a428272ecf621ce
-
C:\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
C:\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
\Users\Public\vbc.exeFilesize
382KB
MD5ae5edb053d773cccdfb1591933d8dca9
SHA14076a325e8b40ae7f90ed797ca1b74020fe3107c
SHA256b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
SHA51237da8f4f36447dea7c4f33a490eb4e920ed7539b921895c50fc6f33f467d246364441e70d4d39e597d6733868c1d270b7e0bc7c94bf334b2d34a2f37dd3cf5c3
-
memory/432-59-0x000000006BA91000-0x000000006BA94000-memory.dmpFilesize
12KB
-
memory/432-65-0x000000007296D000-0x0000000072978000-memory.dmpFilesize
44KB
-
memory/1424-97-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/1424-98-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1424-94-0x0000000000000000-mapping.dmp
-
memory/1424-99-0x0000000000970000-0x0000000000A00000-memory.dmpFilesize
576KB
-
memory/1424-96-0x0000000000A10000-0x0000000000A17000-memory.dmpFilesize
28KB
-
memory/1428-90-0x0000000007300000-0x0000000007413000-memory.dmpFilesize
1.1MB
-
memory/1428-93-0x0000000007420000-0x0000000007534000-memory.dmpFilesize
1.1MB
-
memory/1660-57-0x000000007296D000-0x0000000072978000-memory.dmpFilesize
44KB
-
memory/1660-54-0x000000002F1B1000-0x000000002F1B4000-memory.dmpFilesize
12KB
-
memory/1660-55-0x0000000071981000-0x0000000071983000-memory.dmpFilesize
8KB
-
memory/1660-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1660-58-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1660-64-0x000000007296D000-0x0000000072978000-memory.dmpFilesize
44KB
-
memory/1756-89-0x00000000001C0000-0x00000000001D1000-memory.dmpFilesize
68KB
-
memory/1756-81-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1756-87-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1756-88-0x0000000000BA0000-0x0000000000EA3000-memory.dmpFilesize
3.0MB
-
memory/1756-84-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1756-82-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1756-92-0x0000000000250000-0x0000000000261000-memory.dmpFilesize
68KB
-
memory/1756-85-0x000000000041F280-mapping.dmp
-
memory/1756-95-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1988-80-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/1988-77-0x0000000000000000-mapping.dmp
-
memory/2040-79-0x0000000000670000-0x00000000006A4000-memory.dmpFilesize
208KB
-
memory/2040-78-0x0000000001340000-0x00000000013A2000-memory.dmpFilesize
392KB
-
memory/2040-74-0x0000000000000000-mapping.dmp