2a20bbe8c5562c5e602ca21bf5c68433d1bf41f9e126fd3d8450c6a7ca56ffb6

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-06-2022 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decrypted.xlsx
Size

64KB
MD5

f47afe6c3e0e23c768f4cb611d98f824
SHA1

63fe705d6d6a85117f57af2431f083ba6c472eed
SHA256

57c1e1c28a5b553d08d4ab23656d014d8b2e0b071207b516f6db3dd726b575c6
SHA512

e4ee26d06dcd59a9362560972fb27f036e95e6872533679cfe1a3e643c60187af18fe63766e0bf8d89c317852ef28db6b19178bf65c0ce07681b3b941227e4ff

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 588 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1620 vbc.exe
1812 vbc.exe
1152 vbc.exe
376 vbc.exe
1080 vbc.exe
1740 vbc.exe
Abuses OpenXML format to download file from external location
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXE

pid process

588 EQNEDT32.EXE
588 EQNEDT32.EXE
588 EQNEDT32.EXE
588 EQNEDT32.EXE
588 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

588 EQNEDT32.EXE

flow	pid	process
8	588	EQNEDT32.EXE

pid	process
1620	vbc.exe
1812	vbc.exe
1152	vbc.exe
376	vbc.exe
1080	vbc.exe
1740	vbc.exe

pid	process
588	EQNEDT32.EXE
588	EQNEDT32.EXE
588	EQNEDT32.EXE
588	EQNEDT32.EXE
588	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
588	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

388 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
1620 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1620 vbc.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

388 EXCEL.EXE
388 EXCEL.EXE
388 EXCEL.EXE
1692 WINWORD.EXE
1692 WINWORD.EXE

pid	process
388	EXCEL.EXE

pid	process
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe
1620	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1620	vbc.exe

pid	process
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
1692	WINWORD.EXE
1692	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 588 wrote to memory of 1620	588	EQNEDT32.EXE	vbc.exe
PID 588 wrote to memory of 1620	588	EQNEDT32.EXE	vbc.exe
PID 588 wrote to memory of 1620	588	EQNEDT32.EXE	vbc.exe
PID 588 wrote to memory of 1620	588	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 872	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 872	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 872	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 872	1692	WINWORD.EXE	splwow64.exe
PID 1620 wrote to memory of 1812	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1812	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1812	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1812	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1152	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1152	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1152	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1152	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 376	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 376	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 376	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 376	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1080	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1080	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1080	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1080	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1740	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1740	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1740	1620	vbc.exe	vbc.exe
PID 1620 wrote to memory of 1740	1620	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:388

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:872

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1812

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1152

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:376

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1080

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\shp[1].doc
Filesize
24KB

MD5
25ed8c4bb053d2c52b433b77089420f7

SHA1
52a213942458654f9baaeaa4de7473c7967ba431

SHA256
a6e19f56646d7a6743337d3aeb7baea8e1b3b991e10af7410786fa02845b1852

SHA512
fe2151b84918a609bfb084cdde0774ad61ddd9651b52756e7c0e70b122a9b745851f94263d3cc0183b6e58d94645bbe92160e9480fdc69e924539c2678398ff2

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
C:\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
\Users\Public\vbc.exe
Filesize
502KB

MD5
6237a36be522069ff7f84128c2cbb5c4

SHA1
2c57d875e90ef11903529ec81862aa01e8945129

SHA256
8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

SHA512
c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Download Submit
memory/388-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/388-54-0x000000002F621000-0x000000002F624000-memory.dmp

Filesize
12KB

Download
memory/388-57-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/388-55-0x0000000071C41000-0x0000000071C43000-memory.dmp

Filesize
8KB

Download
memory/388-78-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/388-58-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/872-74-0x0000000000000000-mapping.dmp

Download
memory/872-77-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/1620-82-0x0000000004D90000-0x0000000004DFA000-memory.dmp

Filesize
424KB

Download
memory/1620-81-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1620-83-0x00000000020D0000-0x0000000002102000-memory.dmp

Filesize
200KB

Download
memory/1620-79-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1620-75-0x00000000003B0000-0x0000000000434000-memory.dmp

Filesize
528KB

Download
memory/1692-80-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/1692-59-0x000000006BF91000-0x000000006BF94000-memory.dmp

Filesize
12KB

Download
memory/1692-63-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download