Analysis
-
max time kernel
114s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-11-2022 08:57
General
-
Target
SUBM70N.docx
-
Size
10KB
-
MD5
3ceee6358bc4c0a06359a579704476dd
-
SHA1
da9abf03b94f81b936415673cc708ee39b6c5f88
-
SHA256
59a7e2d1b792debf604a45fdfe24715d855473075ede2c3a417c8f4e7fb0249f
-
SHA512
6b4b1744e63f1b4848a7be36c7cc9ef12f40a34c1909dac13dfcc230a9b8001e69657c8d6662565e17f54604e8c46f4641b5f1ff37089b3702d15f89f41093b4
-
SSDEEP
192:ScIMmtPqCJuEG/bBLgO35Xhz2ru5JhBH3QBV:SPXyJTJgOJEaJrQ/
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Abuses OpenXML format to download file from external location 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SUBM70N.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Public\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exeFilesize
295.4MB
MD546eba07d6f56645a0da3bfff8a076637
SHA1027cadd09efddb18e0b133e27092214ea2b049ad
SHA256ce8fcef7fb9e1b6a7547db422f682b11cc5927b9cb9261f76a16679717a39431
SHA5126e1ce6de44f04d004d1f746cbd382e2df5b6e75e1fbac6f684d7501c3c6ab260e93fbfa6663918027c813a7bcd8111b2113428f95a82ada30f61e352e632fd17
-
C:\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
C:\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
\Users\Admin\Libalo rorecime yanem movequew baka pen yof yadequi fequa\Quivafe_mef.exeFilesize
295.8MB
MD51a486bbe89732faa6b37f211c71dde14
SHA131205884572c951d0028d350cdbc7ffd6a639262
SHA256263d2cea6d0707b9b3f90c5d9d9568c5de303f62651f70c90f7472ba8dea7636
SHA512d3760e52a3f5d7709d4f3379fd10853bcf760bd8b64d4809765ff273b77a4e85510b43d8500fbba227bf98d716681daeb49a58e2b4dfc10717c3395a13373529
-
\Users\Public\vbc.exeFilesize
1.5MB
MD56cfd66231ad6321329aa7c193b35906f
SHA1a49b452f2e230e68903fbde8ffb16f18134f1930
SHA2560cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA51243f3ec9ae37e79b28266bcdbb0caea41b2e6d07692d893ac87ec9c1f146389f01db07f958a90fdb7fd790e978eefc4cacc73ebc79309a51ec3547f6ea22e5a92
-
memory/1696-78-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x0000000000000000-mapping.dmp
-
memory/1776-79-0x0000000002130000-0x0000000002850000-memory.dmpFilesize
7.1MB
-
memory/1776-80-0x0000000002850000-0x00000000029BA000-memory.dmpFilesize
1.4MB
-
memory/1776-82-0x000000000D870000-0x000000000DD91000-memory.dmpFilesize
5.1MB
-
memory/1776-83-0x000000000D870000-0x000000000DD91000-memory.dmpFilesize
5.1MB
-
memory/1776-73-0x0000000000000000-mapping.dmp
-
memory/1776-86-0x0000000002850000-0x00000000029BA000-memory.dmpFilesize
1.4MB
-
memory/1816-70-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1816-69-0x0000000000000000-mapping.dmp
-
memory/1840-76-0x0000000000000000-mapping.dmp
-
memory/1916-77-0x0000000000A10000-0x0000000000B7A000-memory.dmpFilesize
1.4MB
-
memory/1916-62-0x0000000000000000-mapping.dmp
-
memory/1916-64-0x00000000024C0000-0x0000000002BE0000-memory.dmpFilesize
7.1MB
-
memory/1916-67-0x0000000000A10000-0x0000000000B7A000-memory.dmpFilesize
1.4MB
-
memory/1916-68-0x00000000024C0000-0x0000000002BE0000-memory.dmpFilesize
7.1MB
-
memory/1928-59-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-54-0x0000000072D01000-0x0000000072D04000-memory.dmpFilesize
12KB
-
memory/1928-58-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-57-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1928-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-85-0x000000007176D000-0x0000000071778000-memory.dmpFilesize
44KB
-
memory/1928-55-0x0000000070781000-0x0000000070783000-memory.dmpFilesize
8KB
-
memory/2008-75-0x0000000000000000-mapping.dmp