modiloader | ac95153d7a46449984b704784dc870c7fd9bdb8809fc2e31ff5b5db2d1a53bc9

General

Target

SOA 25.07.2022 - (OUTSTANDING_MARCH Till Date.docx
Size

72KB
MD5

950b9dddb59acefed85130122cff05c7
SHA1

e01b80f4e8ec62c5e24d0f02dedfd64003f18ac3
SHA256

ac95153d7a46449984b704784dc870c7fd9bdb8809fc2e31ff5b5db2d1a53bc9
SHA512

c3efc65a685d2e30346982321a5f452aa178a8a65c5ae7f3102789588cd6a3f6e76fe9e96ac5e2721948ed02b91f1468f8e9b358a2e544db69ae6c782dfed271

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 44 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1456-71-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-73-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-76-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-77-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-75-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-74-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-78-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-79-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-80-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-81-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-82-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-83-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-84-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-85-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-86-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-87-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-88-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-89-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-90-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-91-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-92-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-93-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-102-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-103-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-104-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-105-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-106-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-107-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-108-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-109-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-110-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-111-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-112-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-113-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-114-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-115-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-116-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-117-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-118-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-119-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-120-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-121-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-122-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2
behavioral1/memory/1456-123-0x0000000004BE0000-0x0000000004C7C000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1260 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1456 vbc.exe
Abuses OpenXML format to download file from external location
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1260 EQNEDT32.EXE
1260 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1260	EQNEDT32.EXE

pid	process
1456	vbc.exe

pid	process
1260	EQNEDT32.EXE
1260	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epfokx = "C:\\Users\\Public\\Libraries\\xkofpE.url"	vbc.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	process
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1260 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1260	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	vbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vbc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1164 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1456 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cleanmgr.exeWINWORD.EXE

description pid process

Token: SeShutdownPrivilege 1684 cleanmgr.exe
Token: SeShutdownPrivilege 1164 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1164 WINWORD.EXE
1164 WINWORD.EXE

pid	process
1164	WINWORD.EXE

pid	process
1456	vbc.exe

description	pid	process
Token: SeShutdownPrivilege	1684	cleanmgr.exe
Token: SeShutdownPrivilege	1164	WINWORD.EXE

pid	process
1164	WINWORD.EXE
1164	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1260 wrote to memory of 1456	1260	EQNEDT32.EXE	vbc.exe
PID 1260 wrote to memory of 1456	1260	EQNEDT32.EXE	vbc.exe
PID 1260 wrote to memory of 1456	1260	EQNEDT32.EXE	vbc.exe
PID 1260 wrote to memory of 1456	1260	EQNEDT32.EXE	vbc.exe
PID 1164 wrote to memory of 2012	1164	WINWORD.EXE	splwow64.exe
PID 1164 wrote to memory of 2012	1164	WINWORD.EXE	splwow64.exe
PID 1164 wrote to memory of 2012	1164	WINWORD.EXE	splwow64.exe
PID 1164 wrote to memory of 2012	1164	WINWORD.EXE	splwow64.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe
PID 1456 wrote to memory of 1684	1456	vbc.exe	cleanmgr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA 25.07.2022 - (OUTSTANDING_MARCH Till Date.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2012

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
e11a900b4a4e9ea746f13ca831abbd5f

SHA1
a0aa50f97cede7483543689fd98c0a367c643165

SHA256
18a639a834db8ff077bd48979639e2127e0968b4f5a902dd5584b3fa7d7b29e7

SHA512
f16acbc71d5ec0bcfccc82d339a8d6bc282b2ec082d8cb6d07eb4d2a0a6f9940bb2551a8b3c8021798745860d7b05849f8c18136f493c4302bebb627a6acf01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C1112F33-89D2-4D44-BC3A-1EF18C958CC1}.FSD
Filesize
128KB

MD5
c3aaa749f66926f96821f8828fb3108c

SHA1
b039f39e04da6c98e66994739fcfe46b98265a52

SHA256
833925a58784cb7b06166c8b8f7b7822fac66c4ea17db46667f8ff8c5d706637

SHA512
60c8aeb3d0a2e45b051b043eeff1ccc76de0645f114c9956900af033f6fb5bb475f33bef2f196c1693d5cd41a0c0722c52d1fd87d492596a13a94181d63a083b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
Filesize
114B

MD5
0357a2449a1066a55c1c4a77c80edabb

SHA1
ee465e20e7ecd1f84023eeca510f2ef8bfb7e6a7

SHA256
227f5468687cef0cd8177c4dd6d965d9fbcf1844c8a41026ab11630ff9a5455a

SHA512
da84ed740c198880b7ef9d7f718f850b85ee9e3995feef3099f6008beda50fc2f83865431e530ea4b23e13a456cbaf2ec8094766b97cef67732c2e7a301b260c

Download Submit
C:\Users\Public\vbc.exe
Filesize
836KB

MD5
6217729a551773d6f2406c7edad29fed

SHA1
d14325342197a34125ed7d7da114c4dab28e9b57

SHA256
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f

SHA512
c8eb84d3baf8638e76337c4bc83f99405029d33b609ffbbfdcca66348cf2cb839390cde2f3b883fb4562d16d314bae6fab3711cfed117dfc3a541ead08fb2519

Download Submit
C:\Users\Public\vbc.exe
Filesize
836KB

MD5
6217729a551773d6f2406c7edad29fed

SHA1
d14325342197a34125ed7d7da114c4dab28e9b57

SHA256
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f

SHA512
c8eb84d3baf8638e76337c4bc83f99405029d33b609ffbbfdcca66348cf2cb839390cde2f3b883fb4562d16d314bae6fab3711cfed117dfc3a541ead08fb2519

Download Submit
\Users\Public\vbc.exe
Filesize
836KB

MD5
6217729a551773d6f2406c7edad29fed

SHA1
d14325342197a34125ed7d7da114c4dab28e9b57

SHA256
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f

SHA512
c8eb84d3baf8638e76337c4bc83f99405029d33b609ffbbfdcca66348cf2cb839390cde2f3b883fb4562d16d314bae6fab3711cfed117dfc3a541ead08fb2519

Download Submit
\Users\Public\vbc.exe
Filesize
836KB

MD5
6217729a551773d6f2406c7edad29fed

SHA1
d14325342197a34125ed7d7da114c4dab28e9b57

SHA256
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f

SHA512
c8eb84d3baf8638e76337c4bc83f99405029d33b609ffbbfdcca66348cf2cb839390cde2f3b883fb4562d16d314bae6fab3711cfed117dfc3a541ead08fb2519

Download Submit
memory/1164-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1164-58-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/1164-59-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/1164-125-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/1164-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1164-57-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x0000000070621000-0x0000000070623000-memory.dmp

Filesize
8KB

Download
memory/1164-54-0x0000000072BA1000-0x0000000072BA4000-memory.dmp

Filesize
12KB

Download
memory/1456-92-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-103-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-74-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-78-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-79-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-80-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-81-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-82-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-83-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-84-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-85-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-86-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-87-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-88-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-89-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-90-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-91-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-77-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-93-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-63-0x0000000000000000-mapping.dmp

Download
memory/1456-76-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-73-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-71-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-123-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-102-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-75-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-104-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-105-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-106-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-107-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-108-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-109-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-110-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-111-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-112-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-113-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-114-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-115-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-116-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-117-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-118-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-119-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-120-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-121-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1456-122-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1684-100-0x0000000050410000-0x000000005043D000-memory.dmp

Filesize
180KB

Download
memory/1684-94-0x0000000000000000-mapping.dmp

Download
memory/2012-68-0x0000000000000000-mapping.dmp

Download
memory/2012-69-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads