Analysis
-
max time kernel
114s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 08:57
Static task
static1
Behavioral task
behavioral1
Sample
SUBM70N.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SUBM70N.docx
Resource
win10v2004-20221111-en
General
-
Target
SUBM70N.docx
-
Size
10KB
-
MD5
3ceee6358bc4c0a06359a579704476dd
-
SHA1
da9abf03b94f81b936415673cc708ee39b6c5f88
-
SHA256
59a7e2d1b792debf604a45fdfe24715d855473075ede2c3a417c8f4e7fb0249f
-
SHA512
6b4b1744e63f1b4848a7be36c7cc9ef12f40a34c1909dac13dfcc230a9b8001e69657c8d6662565e17f54604e8c46f4641b5f1ff37089b3702d15f89f41093b4
-
SSDEEP
192:ScIMmtPqCJuEG/bBLgO35Xhz2ru5JhBH3QBV:SPXyJTJgOJEaJrQ/
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1700 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exeQuivafe_mef.exepid process 1916 vbc.exe 1776 Quivafe_mef.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Common\Offline\Files\http://911154186/000000_0000000_000000_000000_0000000_000000_0000/0000_000000_00000.doc WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 1700 EQNEDT32.EXE 1916 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exeQuivafe_mef.exepid process 1916 vbc.exe 1916 vbc.exe 1916 vbc.exe 1916 vbc.exe 1916 vbc.exe 1776 Quivafe_mef.exe 1776 Quivafe_mef.exe 1776 Quivafe_mef.exe 1776 Quivafe_mef.exe 1776 Quivafe_mef.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 1928 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1928 WINWORD.EXE 1928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.execmd.exedescription pid process target process PID 1700 wrote to memory of 1916 1700 EQNEDT32.EXE vbc.exe PID 1700 wrote to memory of 1916 1700 EQNEDT32.EXE vbc.exe PID 1700 wrote to memory of 1916 1700 EQNEDT32.EXE vbc.exe PID 1700 wrote to memory of 1916 1700 EQNEDT32.EXE vbc.exe PID 1928 wrote to memory of 1816 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 1816 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 1816 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 1816 1928 WINWORD.EXE splwow64.exe PID 1916 wrote to memory of 1752 1916 vbc.exe schtasks.exe PID 1916 wrote to memory of 1752 1916 vbc.exe schtasks.exe PID 1916 wrote to memory of 1752 1916 vbc.exe schtasks.exe PID 1916 wrote to memory of 1752 1916 vbc.exe schtasks.exe PID 1916 wrote to memory of 1776 1916 vbc.exe Quivafe_mef.exe PID 1916 wrote to memory of 1776 1916 vbc.exe Quivafe_mef.exe PID 1916 wrote to memory of 1776 1916 vbc.exe Quivafe_mef.exe PID 1916 wrote to memory of 1776 1916 vbc.exe Quivafe_mef.exe PID 1916 wrote to memory of 2008 1916 vbc.exe cmd.exe PID 1916 wrote to memory of 2008 1916 vbc.exe cmd.exe PID 1916 wrote to memory of 2008 1916 vbc.exe cmd.exe PID 1916 wrote to memory of 2008 1916 vbc.exe cmd.exe PID 2008 wrote to memory of 1840 2008 cmd.exe chcp.com PID 2008 wrote to memory of 1840 2008 cmd.exe chcp.com PID 2008 wrote to memory of 1840 2008 cmd.exe chcp.com PID 2008 wrote to memory of 1840 2008 cmd.exe chcp.com PID 2008 wrote to memory of 1696 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1696 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1696 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1696 2008 cmd.exe PING.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SUBM70N.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Public\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exeFilesize
295.4MB
MD546eba07d6f56645a0da3bfff8a076637
SHA1027cadd09efddb18e0b133e27092214ea2b049ad
SHA256ce8fcef7fb9e1b6a7547db422f682b11cc5927b9cb9261f76a16679717a39431
SHA5126e1ce6de44f04d004d1f746cbd382e2df5b6e75e1fbac6f684d7501c3c6ab260e93fbfa6663918027c813a7bcd8111b2113428f95a82ada30f61e352e632fd17
-
C:\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
C:\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exeFilesize
295.8MB
MD51a486bbe89732faa6b37f211c71dde14
SHA131205884572c951d0028d350cdbc7ffd6a639262
SHA256263d2cea6d0707b9b3f90c5d9d9568c5de303f62651f70c90f7472ba8dea7636
SHA512d3760e52a3f5d7709d4f3379fd10853bcf760bd8b64d4809765ff273b77a4e85510b43d8500fbba227bf98d716681daeb49a58e2b4dfc10717c3395a13373529
-
\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
memory/1696-78-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x0000000000000000-mapping.dmp
-
memory/1776-79-0x0000000002130000-0x0000000002850000-memory.dmpFilesize
7.1MB
-
memory/1776-80-0x0000000002850000-0x00000000029BA000-memory.dmpFilesize
1.4MB
-
memory/1776-82-0x000000000D870000-0x000000000DD91000-memory.dmpFilesize
5.1MB
-
memory/1776-83-0x000000000D870000-0x000000000DD91000-memory.dmpFilesize
5.1MB
-
memory/1776-73-0x0000000000000000-mapping.dmp
-
memory/1776-86-0x0000000002850000-0x00000000029BA000-memory.dmpFilesize
1.4MB
-
memory/1816-70-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1816-69-0x0000000000000000-mapping.dmp
-
memory/1840-76-0x0000000000000000-mapping.dmp
-
memory/1916-77-0x0000000000A10000-0x0000000000B7A000-memory.dmpFilesize
1.4MB
-
memory/1916-62-0x0000000000000000-mapping.dmp
-
memory/1916-64-0x00000000024C0000-0x0000000002BE0000-memory.dmpFilesize
7.1MB
-
memory/1916-67-0x0000000000A10000-0x0000000000B7A000-memory.dmpFilesize
1.4MB
-
memory/1916-68-0x00000000024C0000-0x0000000002BE0000-memory.dmpFilesize
7.1MB
-
memory/1928-59-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-54-0x0000000072D01000-0x0000000072D04000-memory.dmpFilesize
12KB
-
memory/1928-58-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-57-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1928-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-85-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-55-0x0000000070781000-0x0000000070783000-memory.dmpFilesize
8KB
-
memory/2008-75-0x0000000000000000-mapping.dmp