e4dc9cb9964c7f525c257d9a56c3e2f0774d14b0ae9f2df7b49ae1293016d6e1

Analysis

max time kernel
150s
max time network
106s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.docx
Size

10KB
MD5

6735d0c45ca69ea598bda6fdd9c2cc62
SHA1

7ef80d7b65e5c30517f1b5c8f7e1be00bfa6f461
SHA256

e4dc9cb9964c7f525c257d9a56c3e2f0774d14b0ae9f2df7b49ae1293016d6e1
SHA512

82820b67b03916b488713cb9b5cbf7f5e96ca1f8e521d565f8dd075ea96eca13d8f378cccc13cc1e5b80f424e69cdac428b73a126f9a65f37fcce175b75b0ea6
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4OU7us+1pReDnc37f0F:SPX+si10ni4OIyeDnMr8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1456 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1456	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Common\Offline\Files\http://392074340/O-OO.DOC	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

916 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1456 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1456	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1456 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1456	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1976 WINWORD.EXE

pid	process
1976	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

vbc.exepowershell.exe

pid	process
916	vbc.exe
1880	powershell.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe
916	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 916 vbc.exe
Token: SeDebugPrivilege 1880 powershell.exe
Token: SeShutdownPrivilege 1976 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1976 WINWORD.EXE
1976 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	916	vbc.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeShutdownPrivilege	1976	WINWORD.EXE

pid	process
1976	WINWORD.EXE
1976	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1456 wrote to memory of 916	1456	EQNEDT32.EXE	vbc.exe
PID 1456 wrote to memory of 916	1456	EQNEDT32.EXE	vbc.exe
PID 1456 wrote to memory of 916	1456	EQNEDT32.EXE	vbc.exe
PID 1456 wrote to memory of 916	1456	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1708	1976	WINWORD.EXE	splwow64.exe
PID 1976 wrote to memory of 1708	1976	WINWORD.EXE	splwow64.exe
PID 1976 wrote to memory of 1708	1976	WINWORD.EXE	splwow64.exe
PID 1976 wrote to memory of 1708	1976	WINWORD.EXE	splwow64.exe
PID 916 wrote to memory of 1880	916	vbc.exe	powershell.exe
PID 916 wrote to memory of 1880	916	vbc.exe	powershell.exe
PID 916 wrote to memory of 1880	916	vbc.exe	powershell.exe
PID 916 wrote to memory of 1880	916	vbc.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1708

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pfbsKVCKbOh.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F737AC92-B0BF-4D46-917E-217FA0C6CD35}.FSD
Filesize
128KB

MD5
2552960b4106c177b045a451e02ae5b2

SHA1
8d0a6629b71e6048c0661f0455c3d80b501746e2

SHA256
c6bf48cfefec56f19c0946c2fea7215871cde390b82fe1838c3cafb38b057ee4

SHA512
04b1d0b20fc2c9ee11773c6c8ca2ff53db3c6640962c10100bc528bf15141c707353c05c88345ed015878dbf31d244c6070bce3eab34ce76016a2a0add93979f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
9a8a527d3360c96383ea64acb571e374

SHA1
b1a8ff2ce9dd7c4f8c3705b674ba771e9d0744dd

SHA256
8303e6a486faac93faa86f3aa76d369d35e313b41fb4f86cde5bb00f6a577e8d

SHA512
6492253c27d5eca51cead6be86727804485331f9ca8fe80b395642756fe2c9e9a09482695ce05b5eb4c1e9240c2d06e2a07a773fd75ef47ce2fcdcb392e81094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{88A42159-F90B-42BD-98BE-49E6E4B183FF}.FSD
Filesize
128KB

MD5
871127698f0af30fa9e00efe737075d3

SHA1
f6306cc118a5a270a0b0f56b0608b04eeabf8397

SHA256
29dd337416bbf204fd5fafc367840582515acd71a7f6287649fd59ebdcdce603

SHA512
57605583189b56054b82b4bfa14c848b07051283b18f272fca2437f11133c156888a910619848e6bf8503a6fd68608de0493dba888d7a9cf2f7ef992f921f0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\O-OO[1].doc
Filesize
16KB

MD5
f5fa15de93803a87e9b2ab1a136607f9

SHA1
a0f6c055032bcc2cb547e1be9c8ca2cea992ecd4

SHA256
68b3b4b4b491482f3c44e62d6b3863b5f4aeedb9608a6c27e4eeac44f8a375e3

SHA512
00afdb4459868b2fadd2fe5a9ded9df7b290006abf109514b4cdf7e5859ff4354c9c7c54880ef8256473f4f0e463c82430917a793a832e58b4049d78e4298f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F3677F41-DCBC-4ADC-9515-B24E4B114133}
Filesize
128KB

MD5
25361736ed8ffd2e30039a286185853e

SHA1
7d0950b014586b75dc78b13bcf9836804c02b3dd

SHA256
d9d6e1724b00493548454f76a218d98f9bdb59b4209a2202ec6feef5578c57b9

SHA512
75d522c975d8cf4027e660c4aff794b576d785b29f18adbde61bb129c9d3a81d20034689719a0de247be7bd3ae8fd13beab7e3b411dd47956cd1660c5533fb17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
fd2a93ae3adda5c115c26a924804587d

SHA1
6a56a7b00d5a14f26c43d8c663d0f9fe5ad04841

SHA256
5e91112ca15cb8841d37b980268cfe8b5e46efc8efdb6f1e1b13c5a0908e4370

SHA512
b8169b56991bd2e1d84fb67ff1ceb58f2258799bdbcf71fa55cb79144be50f1fcc9a9da5d315e46dd8fe6d851ca4b0ea4bcd91b78f4476df09ecdb1febaa0ed6

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
memory/916-145-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/916-159-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/916-142-0x0000000001030000-0x000000000112C000-memory.dmp

Filesize
1008KB

Download
memory/916-150-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/916-151-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/916-152-0x0000000007E90000-0x0000000007F48000-memory.dmp

Filesize
736KB

Download
memory/916-158-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/916-144-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/916-163-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/916-162-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1880-161-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/1880-160-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/1976-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-190-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download