Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
WSAPW0650867.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
WSAPW0650867.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
WSAPW0650867.xlsx
-
Size
162KB
-
MD5
2f61395a0fe614c7eedf81c320828162
-
SHA1
5df8981874133d46ce0191a57708700c6388e3da
-
SHA256
baea29755ad7d0d89ae6ec2229bb06fafaf5a68869b3f07adad15e7020a79fd1
-
SHA512
b321278919028dd0e2f69e3c69f3fdd933dc1cf424ea73267f9aa6025ba5c96c6c0973a993fac52c1a4583e4147251408152cb6b1eec2f5afc5591fb1b6d1a01
Malware Config
Extracted
xloader
2.9
iewb
n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==
5vIAIY+pt81OtWs+FdIEdk7Y
LHIKc+oWGIQUUlfAAtEEdk7Y
ePM/cX2jvHrS
5hvPEw22+fdvmJz3C8FIVq0=
mb9EeX2jvHrS
Dx2zIYNvfjo8VUo5
6jVPnyJekv2RAc4gLKNwEqQ=
KWatHyjdE5Gj1Ng=
t9lk70gzUAZty4qjbVjF
6eUBeFPzKBWT125BFNIEdk7Y
dZUXOIyqTJGj1Ng=
iL3TVh2Jl5QVStnzxcAhIL8=
J1prtyklUfZGR/xDD71IbkWRd2yx
s9FgCOBRW9bU0Y6jbVjF
RYCbQDzcFBhcylgu
Fl0BV/8RJm6F9QRg8LXXTLo=
0dhumHzrCCZ3wdQg7nFF1AlL6Tk=
xvL+iL6wwX+/wH9K4lbZ/A==
N0lVceIFD5Gj1Ng=
5/mnQbHhJ7IzcYjyQbXXTLo=
luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==
yuh2thpBWtHl2ZV48rXXTLo=
ADcuaODkD5eytord4lbZ/A==
PIWRAgq8/zx4aipDyILc
TdUPJBksRZU=
NorCQjrrH5Gj1Ng=
WXUOku0EDZGj1Ng=
4w8mrX8lanCcoWZLU0SkkkSRd2yx
KIYkq/0QN5gPTFK37XszY0fa
s8lIykhdVZjlEA1g8LXXTLo=
AkBw4LE9RQNHkyRsMQ==
fLzVWEjyMarikyRsMQ==
6j1f2ZsFFRpcylgu
zu3YwbBReoIuUh1vdsGonTCDfw==
EGD0PEju53oDSuwu9765d/4KSkXU3Qxh
rc0aZhksRZU=
Un//ZcCsqyaNtEcnt6mLu7Lqdw==
V4Eqwh4FEHqIflW508EYzYSbOeC5
EiWpwJgAFRV5e1r60cAEdk7Y
VW8Pf9PN65HU1otP4lbZ/A==
FFdOyJcMGxpcylgu
KztLpY85vJkLFw==
yh8vtO4GRPQ2kyRsMQ==
qMfrSiqZvghLUyRy/7XXTLo=
eKTGPwmf3swEq2Y3
aoseYSTrlPsvGQ==
Z6tKw0RfgS5+1o6jbVjF
CyU0azDFBZGj1Ng=
7Cy+5co/ZZbhC8dW6eo=
LXmN0EJimQWHylwnbTS6afIlJZHj+Q==
2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==
jqHcD+eAi5EYlVrJm0TN
cqO55WilyvQ9mG1P4lbZ/A==
BERqtpY6pZDbB8dW6eo=
VpzDHQBueZvY24qjbVjF
OWUELQ6s28NVxom7evrIPfCLfw==
5iO6Dg619fIVQz+Q3I+ZMdmwry4=
d6GiFh7QJaHO2Jxz8bXXTLo=
NlFh6bdVeihxxT1MH+A+TL3MaA==
0PWJHpPJ9zh3nasMO8FIVq0=
19Fom6FBSQ1QrMU=
aYWBmw6431DfHsdW6eo=
Jj7U++2X3M4Eq2Y3
mounscape.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-87-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1768-88-0x000000000041F840-mapping.dmp xloader behavioral1/memory/1768-95-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1588-98-0x00000000000C0000-0x00000000000EC000-memory.dmp xloader behavioral1/memory/1588-101-0x00000000000C0000-0x00000000000EC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J0HXNT2HK6R = "C:\\Program Files (x86)\\Ga8t\\config6lghh6d.exe" help.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 2044 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1696 vbc.exe 1768 vbc.exe -
Abuses OpenXML format to download file from external location
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation vbc.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEhelp.exepid process 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 2044 EQNEDT32.EXE 1588 help.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exehelp.exedescription pid process target process PID 1696 set thread context of 1768 1696 vbc.exe vbc.exe PID 1768 set thread context of 1428 1768 vbc.exe Explorer.EXE PID 1588 set thread context of 1428 1588 help.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\Ga8t\config6lghh6d.exe help.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEhelp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 560 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
vbc.exehelp.exepid process 1768 vbc.exe 1768 vbc.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exehelp.exepid process 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 1588 help.exe 1588 help.exe 1588 help.exe 1588 help.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vbc.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1768 vbc.exe Token: SeDebugPrivilege 1588 help.exe Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeShutdownPrivilege 1428 Explorer.EXE Token: SeShutdownPrivilege 1428 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 560 EXCEL.EXE 560 EXCEL.EXE 560 EXCEL.EXE 1876 WINWORD.EXE 1876 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEhelp.exedescription pid process target process PID 2044 wrote to memory of 1696 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 1696 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 1696 2044 EQNEDT32.EXE vbc.exe PID 2044 wrote to memory of 1696 2044 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1624 1876 WINWORD.EXE splwow64.exe PID 1876 wrote to memory of 1624 1876 WINWORD.EXE splwow64.exe PID 1876 wrote to memory of 1624 1876 WINWORD.EXE splwow64.exe PID 1876 wrote to memory of 1624 1876 WINWORD.EXE splwow64.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1696 wrote to memory of 1768 1696 vbc.exe vbc.exe PID 1428 wrote to memory of 1588 1428 Explorer.EXE help.exe PID 1428 wrote to memory of 1588 1428 Explorer.EXE help.exe PID 1428 wrote to memory of 1588 1428 Explorer.EXE help.exe PID 1428 wrote to memory of 1588 1428 Explorer.EXE help.exe PID 1588 wrote to memory of 1556 1588 help.exe cmd.exe PID 1588 wrote to memory of 1556 1588 help.exe cmd.exe PID 1588 wrote to memory of 1556 1588 help.exe cmd.exe PID 1588 wrote to memory of 1556 1588 help.exe cmd.exe PID 1588 wrote to memory of 1160 1588 help.exe Firefox.exe PID 1588 wrote to memory of 1160 1588 help.exe Firefox.exe PID 1588 wrote to memory of 1160 1588 help.exe Firefox.exe PID 1588 wrote to memory of 1160 1588 help.exe Firefox.exe PID 1588 wrote to memory of 1160 1588 help.exe Firefox.exe PID 1588 wrote to memory of 544 1588 help.exe cmd.exe PID 1588 wrote to memory of 544 1588 help.exe cmd.exe PID 1588 wrote to memory of 544 1588 help.exe cmd.exe PID 1588 wrote to memory of 544 1588 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\WSAPW0650867.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\invc_16[1].docFilesize
20KB
MD5211a8ee8e10adc14b944fab7a196a960
SHA1445901560e0568f9e63ff6195c1bfb0bcd7bd586
SHA256e7fce9b0a293803a0e3305ed64d0de8896abc0f8d274665c1c89af741434b9e4
SHA51217db353e1a562f7fddb6b63541c89a8c93fb71d873a346e63bca6abe19772ea326807ca49e8616a2b0790e2e69dc340cc3a8d4efa32a72687a0a0416904f9878
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
630KB
MD506b455698aba68f911c2f6d17bbefc6a
SHA14116e1345134012a0fc8a84b4bbf6c681621a266
SHA2566d81a69544457d3db38f97932869e0589feed4d7249462cce7aa8b15c6c00bd2
SHA512d64c0219933a0600702d54ca158e794b2784b1040e15d4657d87f46c091ed7ed1addcf3c46859e87c811f5c1543928596990103ae5de29a00eab7999ba7a1b3e
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
memory/544-106-0x0000000000000000-mapping.dmp
-
memory/560-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/560-58-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/560-55-0x00000000711E1000-0x00000000711E3000-memory.dmpFilesize
8KB
-
memory/560-57-0x00000000721CD000-0x00000000721D8000-memory.dmpFilesize
44KB
-
memory/560-78-0x00000000721CD000-0x00000000721D8000-memory.dmpFilesize
44KB
-
memory/560-54-0x000000002FEB1000-0x000000002FEB4000-memory.dmpFilesize
12KB
-
memory/1428-103-0x0000000007230000-0x00000000073AF000-memory.dmpFilesize
1.5MB
-
memory/1428-102-0x0000000007230000-0x00000000073AF000-memory.dmpFilesize
1.5MB
-
memory/1428-93-0x0000000007100000-0x0000000007225000-memory.dmpFilesize
1.1MB
-
memory/1556-96-0x0000000000000000-mapping.dmp
-
memory/1588-94-0x0000000000000000-mapping.dmp
-
memory/1588-101-0x00000000000C0000-0x00000000000EC000-memory.dmpFilesize
176KB
-
memory/1588-100-0x0000000000670000-0x0000000000700000-memory.dmpFilesize
576KB
-
memory/1588-99-0x00000000008B0000-0x0000000000BB3000-memory.dmpFilesize
3.0MB
-
memory/1588-98-0x00000000000C0000-0x00000000000EC000-memory.dmpFilesize
176KB
-
memory/1588-97-0x00000000005D0000-0x00000000005D6000-memory.dmpFilesize
24KB
-
memory/1624-77-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/1624-74-0x0000000000000000-mapping.dmp
-
memory/1696-79-0x00000000002A0000-0x00000000002B6000-memory.dmpFilesize
88KB
-
memory/1696-81-0x00000000003B0000-0x00000000003BA000-memory.dmpFilesize
40KB
-
memory/1696-71-0x0000000000000000-mapping.dmp
-
memory/1696-82-0x0000000004D70000-0x0000000004DDA000-memory.dmpFilesize
424KB
-
memory/1696-83-0x0000000000B30000-0x0000000000B62000-memory.dmpFilesize
200KB
-
memory/1696-75-0x0000000000F80000-0x000000000100C000-memory.dmpFilesize
560KB
-
memory/1768-88-0x000000000041F840-mapping.dmp
-
memory/1768-92-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/1768-87-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1768-85-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1768-84-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1768-91-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1768-95-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1876-80-0x00000000721CD000-0x00000000721D8000-memory.dmpFilesize
44KB
-
memory/1876-63-0x00000000721CD000-0x00000000721D8000-memory.dmpFilesize
44KB
-
memory/1876-59-0x000000006B531000-0x000000006B534000-memory.dmpFilesize
12KB