Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
WSAPW0650867.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
WSAPW0650867.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
decrypted.xlsx
-
Size
156KB
-
MD5
4e4e1faa4f89fd324a0d3cb7609740ee
-
SHA1
c9194e4a27abcf199dd82e6cefc12c100f60c745
-
SHA256
4fa076b9edb70ff44a8c67442a5337293d9e6c6c9c9bf9acc23fce485116a741
-
SHA512
8500aca084c2f591aa0bf2b29f40d6be0866f72c27b869992d66cb754d879554cd41a70fccabbaff01f8e09f8e529102532560c4673e9b1e270724219458f43b
Malware Config
Extracted
xloader
2.9
iewb
n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==
5vIAIY+pt81OtWs+FdIEdk7Y
LHIKc+oWGIQUUlfAAtEEdk7Y
ePM/cX2jvHrS
5hvPEw22+fdvmJz3C8FIVq0=
mb9EeX2jvHrS
Dx2zIYNvfjo8VUo5
6jVPnyJekv2RAc4gLKNwEqQ=
KWatHyjdE5Gj1Ng=
t9lk70gzUAZty4qjbVjF
6eUBeFPzKBWT125BFNIEdk7Y
dZUXOIyqTJGj1Ng=
iL3TVh2Jl5QVStnzxcAhIL8=
J1prtyklUfZGR/xDD71IbkWRd2yx
s9FgCOBRW9bU0Y6jbVjF
RYCbQDzcFBhcylgu
Fl0BV/8RJm6F9QRg8LXXTLo=
0dhumHzrCCZ3wdQg7nFF1AlL6Tk=
xvL+iL6wwX+/wH9K4lbZ/A==
N0lVceIFD5Gj1Ng=
5/mnQbHhJ7IzcYjyQbXXTLo=
luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==
yuh2thpBWtHl2ZV48rXXTLo=
ADcuaODkD5eytord4lbZ/A==
PIWRAgq8/zx4aipDyILc
TdUPJBksRZU=
NorCQjrrH5Gj1Ng=
WXUOku0EDZGj1Ng=
4w8mrX8lanCcoWZLU0SkkkSRd2yx
KIYkq/0QN5gPTFK37XszY0fa
s8lIykhdVZjlEA1g8LXXTLo=
AkBw4LE9RQNHkyRsMQ==
fLzVWEjyMarikyRsMQ==
6j1f2ZsFFRpcylgu
zu3YwbBReoIuUh1vdsGonTCDfw==
EGD0PEju53oDSuwu9765d/4KSkXU3Qxh
rc0aZhksRZU=
Un//ZcCsqyaNtEcnt6mLu7Lqdw==
V4Eqwh4FEHqIflW508EYzYSbOeC5
EiWpwJgAFRV5e1r60cAEdk7Y
VW8Pf9PN65HU1otP4lbZ/A==
FFdOyJcMGxpcylgu
KztLpY85vJkLFw==
yh8vtO4GRPQ2kyRsMQ==
qMfrSiqZvghLUyRy/7XXTLo=
eKTGPwmf3swEq2Y3
aoseYSTrlPsvGQ==
Z6tKw0RfgS5+1o6jbVjF
CyU0azDFBZGj1Ng=
7Cy+5co/ZZbhC8dW6eo=
LXmN0EJimQWHylwnbTS6afIlJZHj+Q==
2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==
jqHcD+eAi5EYlVrJm0TN
cqO55WilyvQ9mG1P4lbZ/A==
BERqtpY6pZDbB8dW6eo=
VpzDHQBueZvY24qjbVjF
OWUELQ6s28NVxom7evrIPfCLfw==
5iO6Dg619fIVQz+Q3I+ZMdmwry4=
d6GiFh7QJaHO2Jxz8bXXTLo=
NlFh6bdVeihxxT1MH+A+TL3MaA==
0PWJHpPJ9zh3nasMO8FIVq0=
19Fom6FBSQ1QrMU=
aYWBmw6431DfHsdW6eo=
Jj7U++2X3M4Eq2Y3
mounscape.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/1596-88-0x000000000041F840-mapping.dmp xloader behavioral3/memory/1596-87-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral3/memory/1596-91-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral3/memory/1996-99-0x0000000000140000-0x000000000016C000-memory.dmp xloader behavioral3/memory/1996-102-0x0000000000140000-0x000000000016C000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 2036 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1108 vbc.exe 1596 vbc.exe -
Abuses OpenXML format to download file from external location
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 2036 EQNEDT32.EXE 2036 EQNEDT32.EXE 2036 EQNEDT32.EXE 2036 EQNEDT32.EXE 2036 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HHM81NWHYZ = "C:\\Program Files (x86)\\Eadil_rg\\mfcadfh1n.exe" msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exemsdt.exedescription pid process target process PID 1108 set thread context of 1596 1108 vbc.exe vbc.exe PID 1596 set thread context of 1296 1596 vbc.exe Explorer.EXE PID 1996 set thread context of 1296 1996 msdt.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msdt.exedescription ioc process File opened for modification C:\Program Files (x86)\Eadil_rg\mfcadfh1n.exe msdt.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEmsdt.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1304 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
vbc.exemsdt.exepid process 1596 vbc.exe 1596 vbc.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exemsdt.exepid process 1596 vbc.exe 1596 vbc.exe 1596 vbc.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe 1996 msdt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vbc.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1596 vbc.exe Token: SeDebugPrivilege 1996 msdt.exe Token: SeShutdownPrivilege 1296 Explorer.EXE Token: SeShutdownPrivilege 1296 Explorer.EXE Token: SeShutdownPrivilege 1296 Explorer.EXE Token: SeShutdownPrivilege 1296 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1304 EXCEL.EXE 1304 EXCEL.EXE 1304 EXCEL.EXE 1892 WINWORD.EXE 1892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEmsdt.exedescription pid process target process PID 2036 wrote to memory of 1108 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 1108 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 1108 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 1108 2036 EQNEDT32.EXE vbc.exe PID 1892 wrote to memory of 780 1892 WINWORD.EXE splwow64.exe PID 1892 wrote to memory of 780 1892 WINWORD.EXE splwow64.exe PID 1892 wrote to memory of 780 1892 WINWORD.EXE splwow64.exe PID 1892 wrote to memory of 780 1892 WINWORD.EXE splwow64.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1108 wrote to memory of 1596 1108 vbc.exe vbc.exe PID 1296 wrote to memory of 1996 1296 Explorer.EXE msdt.exe PID 1296 wrote to memory of 1996 1296 Explorer.EXE msdt.exe PID 1296 wrote to memory of 1996 1296 Explorer.EXE msdt.exe PID 1296 wrote to memory of 1996 1296 Explorer.EXE msdt.exe PID 1996 wrote to memory of 1492 1996 msdt.exe cmd.exe PID 1996 wrote to memory of 1492 1996 msdt.exe cmd.exe PID 1996 wrote to memory of 1492 1996 msdt.exe cmd.exe PID 1996 wrote to memory of 1492 1996 msdt.exe cmd.exe PID 1996 wrote to memory of 940 1996 msdt.exe Firefox.exe PID 1996 wrote to memory of 940 1996 msdt.exe Firefox.exe PID 1996 wrote to memory of 940 1996 msdt.exe Firefox.exe PID 1996 wrote to memory of 940 1996 msdt.exe Firefox.exe PID 1996 wrote to memory of 940 1996 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J2W67U9P\invc_16[1].docFilesize
20KB
MD5211a8ee8e10adc14b944fab7a196a960
SHA1445901560e0568f9e63ff6195c1bfb0bcd7bd586
SHA256e7fce9b0a293803a0e3305ed64d0de8896abc0f8d274665c1c89af741434b9e4
SHA51217db353e1a562f7fddb6b63541c89a8c93fb71d873a346e63bca6abe19772ea326807ca49e8616a2b0790e2e69dc340cc3a8d4efa32a72687a0a0416904f9878
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
C:\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
\Users\Public\vbc.exeFilesize
533KB
MD52ca4db9e581608faaacdd0533b4fd783
SHA178065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA2562c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
-
memory/780-78-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/780-75-0x0000000000000000-mapping.dmp
-
memory/1108-79-0x00000000005A0000-0x00000000005B6000-memory.dmpFilesize
88KB
-
memory/1108-76-0x0000000000840000-0x00000000008CC000-memory.dmpFilesize
560KB
-
memory/1108-83-0x00000000020C0000-0x00000000020F2000-memory.dmpFilesize
200KB
-
memory/1108-72-0x0000000000000000-mapping.dmp
-
memory/1108-82-0x00000000050F0000-0x000000000515A000-memory.dmpFilesize
424KB
-
memory/1108-81-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/1296-103-0x0000000008FE0000-0x00000000090CE000-memory.dmpFilesize
952KB
-
memory/1296-104-0x0000000008FE0000-0x00000000090CE000-memory.dmpFilesize
952KB
-
memory/1296-94-0x00000000072D0000-0x0000000007477000-memory.dmpFilesize
1.7MB
-
memory/1304-57-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1304-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1304-54-0x000000002FFF1000-0x000000002FFF4000-memory.dmpFilesize
12KB
-
memory/1304-55-0x00000000715E1000-0x00000000715E3000-memory.dmpFilesize
8KB
-
memory/1304-58-0x00000000725CD000-0x00000000725D8000-memory.dmpFilesize
44KB
-
memory/1304-59-0x00000000725CD000-0x00000000725D8000-memory.dmpFilesize
44KB
-
memory/1492-97-0x0000000000000000-mapping.dmp
-
memory/1596-85-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1596-88-0x000000000041F840-mapping.dmp
-
memory/1596-91-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1596-92-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/1596-93-0x0000000000270000-0x0000000000281000-memory.dmpFilesize
68KB
-
memory/1596-87-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1596-84-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1892-80-0x00000000725CD000-0x00000000725D8000-memory.dmpFilesize
44KB
-
memory/1892-64-0x00000000725CD000-0x00000000725D8000-memory.dmpFilesize
44KB
-
memory/1892-60-0x000000006B931000-0x000000006B934000-memory.dmpFilesize
12KB
-
memory/1996-95-0x0000000000000000-mapping.dmp
-
memory/1996-100-0x0000000002240000-0x0000000002543000-memory.dmpFilesize
3.0MB
-
memory/1996-101-0x00000000020B0000-0x0000000002140000-memory.dmpFilesize
576KB
-
memory/1996-102-0x0000000000140000-0x000000000016C000-memory.dmpFilesize
176KB
-
memory/1996-99-0x0000000000140000-0x000000000016C000-memory.dmpFilesize
176KB
-
memory/1996-98-0x00000000007B0000-0x00000000008A4000-memory.dmpFilesize
976KB