Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 19:42
Static task
static1
Behavioral task
behavioral1
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win10v2004-20230220-en
General
-
Target
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
-
Size
10KB
-
MD5
73eb1fe347f4570fa1fbcbd6b5130f54
-
SHA1
dc5df0f94c44ad73c16df705f042a88c21f641cc
-
SHA256
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
-
SHA512
2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
citalmet.com.ar - Port:
587 - Username:
log@citalmet.com.ar - Password:
payment@123
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/616-160-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/616-159-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/616-162-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/616-165-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/616-167-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/616-168-0x0000000004BF0000-0x0000000004C30000-memory.dmp family_snakekeylogger behavioral1/memory/616-196-0x0000000004BF0000-0x0000000004C30000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1092 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Common\Offline\Files\http://1755848856/O__O.DOC WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1768 vbc.exe 616 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1092 EQNEDT32.EXE 1092 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1768 set thread context of 616 1768 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1368 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
vbc.exevbc.exepid process 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 1768 vbc.exe 616 vbc.exe 616 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1768 vbc.exe Token: SeDebugPrivilege 616 vbc.exe Token: SeShutdownPrivilege 1368 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1368 WINWORD.EXE 1368 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1092 wrote to memory of 1768 1092 EQNEDT32.EXE vbc.exe PID 1092 wrote to memory of 1768 1092 EQNEDT32.EXE vbc.exe PID 1092 wrote to memory of 1768 1092 EQNEDT32.EXE vbc.exe PID 1092 wrote to memory of 1768 1092 EQNEDT32.EXE vbc.exe PID 1368 wrote to memory of 1552 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 1552 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 1552 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 1552 1368 WINWORD.EXE splwow64.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 616 1768 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2E5B0EE7-0577-42B8-AD44-7AEE250D93C5}.FSDFilesize
128KB
MD559ac1f7b638c58d64b5d6fa78dda4e9a
SHA1e94db566c8d0edd706f0bbf38f61b88e5f2028e3
SHA256c8aab6348798334b86f7e0f60799f8a53f16d2b0ab8520b037f40c699e77873f
SHA512c7af6d05d9fc0315c57ea2a6717f4d258e81685171f9f08da89628070285d9f1349c73448c9a7407b9909139a3e960954d7cae7e2b1213c2db565f9934b3df20
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5e3bd952d1334e9ab97cfd9318811a18f
SHA1dbff0fc52f12b8f28871f0998655eaf66ea93297
SHA25655ae54d1c0c918ce12bb2304f8ca4a2af366affef88545b59fa6e77e32581c38
SHA512392a4b81e6d019ba44a75365d22c7a6bd8c55df875f6fdd0c4dc94994f5ea631bd83fa232e41e4fb7a75597133b492e9ed93c10aea2da60d33843e4fd9cc1d96
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\O__O[1].docFilesize
17KB
MD5bb305858814d868425bd5d85e202991b
SHA14c152743525f39a16e56f9bd15e8a0924044355d
SHA2564da95ef6e49749b7b925c11ad25822791179a009f87ff46b3507322c0bff086a
SHA512e908ccac56e65472fb724189012619be8a92a20e6ae731a3517b0a7203f96ecc76d0c9d4943cbc8cda6edd45a69f10d23ea268f22abf34d5d3e770ceadfe36fa
-
C:\Users\Admin\AppData\Local\Temp\{87CA871C-DE77-40F4-AAB1-F9F0FF16AE74}Filesize
128KB
MD5422846c17962bd8db1332fd086409874
SHA1e33462bac4afdcaa1c6173296b062514502ed643
SHA256582afa91c9cb76f2d87c089fc705ee24022cbbd170da96d77fc74e9c25a60a4a
SHA512a3fe3749462387a68eea344c340d887eb9b9bbe68ed74248febfc5b1b9c90033f368a527febfc2801df678472378ddf983095d0f95f1dafff2e6abe297f5a4cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5563179a1471860b777820d432c8fcb78
SHA127c3fbc80fdc733123b2cc8025be133e3daffdf7
SHA25601580a28b8fbaca26b5b8461c927c476bad1fc88fc5e1e6ed83cf2a12c8a7e1a
SHA512772f0afbee05a16b73866d6506df34ff58ef8338ca58587a38a520796e042399a0d5ee31fbd561956da093f157191d52d12d57c1ab01786f456be92c2b39dcaf
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
memory/616-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/616-165-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-196-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/616-168-0x0000000004BF0000-0x0000000004C30000-memory.dmpFilesize
256KB
-
memory/616-167-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-162-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-157-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-158-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-160-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/616-159-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1368-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1368-195-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1768-145-0x0000000000650000-0x0000000000690000-memory.dmpFilesize
256KB
-
memory/1768-156-0x0000000000B90000-0x0000000000BBA000-memory.dmpFilesize
168KB
-
memory/1768-146-0x00000000004A0000-0x00000000004B6000-memory.dmpFilesize
88KB
-
memory/1768-155-0x0000000007F40000-0x0000000007FEE000-memory.dmpFilesize
696KB
-
memory/1768-154-0x00000000005F0000-0x00000000005FC000-memory.dmpFilesize
48KB
-
memory/1768-144-0x0000000001160000-0x000000000125C000-memory.dmpFilesize
1008KB
-
memory/1768-153-0x0000000000650000-0x0000000000690000-memory.dmpFilesize
256KB