Analysis
-
max time kernel
111s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 20:07
Static task
static1
Behavioral task
behavioral1
Sample
PO-20-02-2023.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO-20-02-2023.docx
Resource
win10v2004-20220812-en
General
-
Target
PO-20-02-2023.docx
-
Size
11KB
-
MD5
c94062b9a586d15cd884246aefb0a75b
-
SHA1
22a13b5db65f00a9e91e8c37e496df25b5276e77
-
SHA256
0d9a51628cb6ef7cfa6074d8c6e89f61e2321bfbb39b7ce9a2e2d1972e0e163e
-
SHA512
18c9d7f96317d483093b5966cadb82e45a2310eea351b54f928554bef8c439cfd454a5a9ba0e1fe3ea1322d798e4d3c5cb9ed7496c545af3e5d822ecdba36fdb
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCusiWVd:aNxUyn0i13LROEiOLkX6Ujnw+3VyVd
Malware Config
Extracted
lokibot
http://208.67.105.148/okuma/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1244 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625038/O--OO.DOC WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1544 vbc.exe 1624 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 1244 EQNEDT32.EXE 1244 EQNEDT32.EXE 1244 EQNEDT32.EXE 1244 EQNEDT32.EXE 1244 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1544 set thread context of 1624 1544 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 752 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1624 vbc.exe Token: SeShutdownPrivilege 752 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 752 WINWORD.EXE 752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1244 wrote to memory of 1544 1244 EQNEDT32.EXE vbc.exe PID 1244 wrote to memory of 1544 1244 EQNEDT32.EXE vbc.exe PID 1244 wrote to memory of 1544 1244 EQNEDT32.EXE vbc.exe PID 1244 wrote to memory of 1544 1244 EQNEDT32.EXE vbc.exe PID 752 wrote to memory of 320 752 WINWORD.EXE splwow64.exe PID 752 wrote to memory of 320 752 WINWORD.EXE splwow64.exe PID 752 wrote to memory of 320 752 WINWORD.EXE splwow64.exe PID 752 wrote to memory of 320 752 WINWORD.EXE splwow64.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe PID 1544 wrote to memory of 1624 1544 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-20-02-2023.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{16B091FB-3DF6-42A3-8A9D-A6A4D207775F}.FSDFilesize
128KB
MD523939c07d655672a77bc761c27a8c181
SHA173ae2205a1861d5a64adfa5ac502cb0ddc4a3229
SHA2561cb8073b9f8db73edfd8b4b39baea0ea585d6b18a6ebf563bd4798bc45f0ed80
SHA512f70149c554c1208385994c76de6b5b7c30f6431c0060e6e4dd0165c89b6068639a988f2dd308630243e360958fd023352d17f96910af224231198422557f1cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5104005c01170d309813a409ff66b31d5
SHA1f535215fd450483a4a52a8396a074920c869ecc8
SHA256f06240d218058df30c4b05d6fa90bf70255ca139f463c0dd9a769998dfcc56bd
SHA512617bbb7a6c27eebd0730de758bab473b37e4d133868cb69dbb5598287b7c6b313844bf225e7546fd136a325670617ed327c740213e99d4e48422cb6cbe663658
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5fadc138eb9875d337b28ed39a0fb0b7f
SHA10586b6483fa3c49a3d4a21589e9961e6a75945b7
SHA256dd941ae7d626c1d969bd0862ae60c7662da08a8e8ebc2193e03986f17ac380ac
SHA5120b3250f2aecb865c78efa9cfcc73a60a51aff26bbad776c436a018c6d013c9c23a88fdaa095e95ae3c1944af8aa2d4a4d63577aad1a27848f3fa6b7263223bf4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{14D1A1FD-6852-4AEC-BF10-19CD9B5C8F80}.FSDFilesize
128KB
MD502498d807165d40e7bb7b4596305d221
SHA176a0199cda0e5a57fa8ace80d88cbb41f9bfadee
SHA2563e0ee6704db134098cc0528037179a747ae00023e3320961d097a502876b6597
SHA512db758a344729743d149ec23cd8c472047742c206f9bc7f0167a56c89357a361c5f1a52254a027b15c9748edfa4e9d875e26099e951b547aa447559f65a47c488
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\O--OO[1].docFilesize
15KB
MD5b889ba28933af645637ca6036ad1ccc2
SHA18d06387e577ef13546aab1c4888c3d9109e7da64
SHA256f9f5920a5e9235d1ee4ed4a225f95654689cfd7fa34150672055a499ab13a25d
SHA512923be81c2ec40d003b25b6d4087414a968676720122201d7aa372168f8680e5917f49870853a934670510c90ff78878e577e048070b9125bb520864f35ba5543
-
C:\Users\Admin\AppData\Local\Temp\{19A15DB8-E675-4A1E-AC79-E1F3062D85A3}Filesize
128KB
MD5e40184fbe55f748259be4d3d6484f88f
SHA1f93fd61f6c41a9669c8ce946c889c73157b46c5e
SHA256f590ac485401a6e80899edf6c24aa2280a165752b25cbe375ac84c1ade723378
SHA512d53b9f4359bd6b34ed12e06ebcec17171848d9e40a1d63b5b0b50a18cf62538b4098654d1e39ac61acf26c27614cae669cc6c0a67e051273fb77334fe9c66fb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD576e02470bd581ff47e75b958200c3cdf
SHA12975b5f64b634c635e581218c1f17a602d14da33
SHA25621f50cfc73a0d4167f2896ab9d81d325b056fa92f7681c996f5702192eb98bc7
SHA5124759eaa01cd1741a0ca0a7f491f8020f35f234a50d4f489ae45fcaf773b47fa81902632a61381cce0d25affbe22384070db37ba26574ebd45eea534b22883448
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
C:\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
C:\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
C:\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
\Users\Public\vbc.exeFilesize
951KB
MD51bf9b73c459e8a0703e006716dd8222d
SHA133a7fee50dd8fb25b7fc21e5a4c49a3df201f7da
SHA2568c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b
SHA512d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3
-
memory/752-216-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/752-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1544-153-0x0000000000830000-0x0000000000924000-memory.dmpFilesize
976KB
-
memory/1544-155-0x0000000004D20000-0x0000000004D60000-memory.dmpFilesize
256KB
-
memory/1544-160-0x00000000003C0000-0x00000000003D6000-memory.dmpFilesize
88KB
-
memory/1544-170-0x0000000004D20000-0x0000000004D60000-memory.dmpFilesize
256KB
-
memory/1544-171-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1544-172-0x0000000008030000-0x00000000080D8000-memory.dmpFilesize
672KB
-
memory/1544-173-0x00000000005E0000-0x0000000000604000-memory.dmpFilesize
144KB
-
memory/1624-175-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-178-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-179-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1624-180-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-177-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-183-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-184-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-188-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-176-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1624-174-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB