Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-02-2023 13:13
Static task
static1
Behavioral task
behavioral1
Sample
USX16,082.10XSwift.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
USX16,082.10XSwift.docx
Resource
win10v2004-20230220-en
General
-
Target
USX16,082.10XSwift.docx
-
Size
10KB
-
MD5
6735d0c45ca69ea598bda6fdd9c2cc62
-
SHA1
7ef80d7b65e5c30517f1b5c8f7e1be00bfa6f461
-
SHA256
e4dc9cb9964c7f525c257d9a56c3e2f0774d14b0ae9f2df7b49ae1293016d6e1
-
SHA512
82820b67b03916b488713cb9b5cbf7f5e96ca1f8e521d565f8dd075ea96eca13d8f378cccc13cc1e5b80f424e69cdac428b73a126f9a65f37fcce175b75b0ea6
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OU7us+1pReDnc37f0F:SPX+si10ni4OIyeDnMr8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1876 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392074340/O-OO.DOC WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1700 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1876 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 924 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
vbc.exepowershell.exepid process 1700 vbc.exe 1624 powershell.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe 1700 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1700 vbc.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeShutdownPrivilege 924 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 924 WINWORD.EXE 924 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1876 wrote to memory of 1700 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1700 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1700 1876 EQNEDT32.EXE vbc.exe PID 1876 wrote to memory of 1700 1876 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 776 924 WINWORD.EXE splwow64.exe PID 924 wrote to memory of 776 924 WINWORD.EXE splwow64.exe PID 924 wrote to memory of 776 924 WINWORD.EXE splwow64.exe PID 924 wrote to memory of 776 924 WINWORD.EXE splwow64.exe PID 1700 wrote to memory of 1624 1700 vbc.exe powershell.exe PID 1700 wrote to memory of 1624 1700 vbc.exe powershell.exe PID 1700 wrote to memory of 1624 1700 vbc.exe powershell.exe PID 1700 wrote to memory of 1624 1700 vbc.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\USX16,082.10XSwift.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pfbsKVCKbOh.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{132D53B2-68CA-4D17-BA51-79FDFDB4830C}.FSDFilesize
128KB
MD5732ef355e026fc73df76140fb48e9062
SHA12899dcf58695bdee9147d35209dc49bfaa18a199
SHA256d4936006c0717762a06984c92c130d5ede8f503411d40f3d15d7063659a91648
SHA512aec151cea895fc1cd48194e2f027b73d66296bddecfb29798fe891525325e448bd185f243c3b0411a94dd46ac4bdacb7da8035ef85e5d1bc10eaf03cc5e6f47a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{132D53B2-68CA-4D17-BA51-79FDFDB4830C}.FSDFilesize
128KB
MD5072399b931d2a2d8fb2324a183d9c429
SHA102ca67d8553807ee4f9d61d6b8a315f889d05e55
SHA256bbf62560723d283094f35aa04d68deb7f82d7fd51bd87700219e7978b7740fe2
SHA512fa3ebcef00195a118927bd1f972438a2a146abd2ae381991cd973c871865e5d687455ed41f4800c13aef6319ba0fc3c94dbff178ab902bd899a76eab876c73be
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD58a9acd4661bf266d5dbacbca6e2283d0
SHA11ad8559ab117d274b79203db5bc37d51a263f54f
SHA256347a0393a49a6bc41dcbbaa059ff5f42bcce73bc02e540445eee18c17cf569eb
SHA5126b4e0c13a7943c4baca80d6f1482f4a673210b3323d50bb5e798d7192f90780731cba62aefc82beaf0dbca0857e5030884f4efc16c7c4e1e33c17f2a58fc3474
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D1454D3E-0965-4F01-BC45-5584A74B3863}.FSDFilesize
128KB
MD54d344e3da6bcff60573259d523512dd4
SHA153d9d66f24227598d2e5cdff117a640bf000ae55
SHA2564a89c6154c2d8d6ef0eb4e054d2549441cee0d36d31417bfa9d34facfa474ca1
SHA5127af485b3fa7f8445c8f3a82f223f9adec0ae00a6585b9db7699d9b510903ef09ab3673df85359e6b015e1ef22ab5bb7a9121bb15ad9eb3576a5d3b5694d21c48
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\O-OO[1].docFilesize
16KB
MD5f5fa15de93803a87e9b2ab1a136607f9
SHA1a0f6c055032bcc2cb547e1be9c8ca2cea992ecd4
SHA25668b3b4b4b491482f3c44e62d6b3863b5f4aeedb9608a6c27e4eeac44f8a375e3
SHA51200afdb4459868b2fadd2fe5a9ded9df7b290006abf109514b4cdf7e5859ff4354c9c7c54880ef8256473f4f0e463c82430917a793a832e58b4049d78e4298f96
-
C:\Users\Admin\AppData\Local\Temp\{E51F4EAB-3741-465F-B33B-AC9780B7B0FC}Filesize
128KB
MD58d5d6c06686d032f64112a345405c1fc
SHA116d7f5b32292edec5f014bf3adb8cf9951c17a5c
SHA2567d371ba592b5ffe5f9f1ba13e5b636351ec99aa7a062c95b9265e909f7089ac3
SHA5128eb4abe59a1c99552d3637ccfe0972704779024d249c2ccfdcd68b055d6f459eefcdd1186a0a7ab27af1820a80681b8ed57b2dc1d12c897f1e564e2b5de56346
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
51B
MD53d053da0225a6de8047dd356469177c8
SHA175d3904ae93904436b3a994744ed76b6f327976e
SHA25635a086b733b6738298dc4be90863bc0d232f20d3d8a9027935d0dafe679a5f39
SHA5128e0f9a995e0cd23fc5300aca2c8e2a39b1015fd331e04c9c03b801132d4982473e413bedfc0703c941b06dff461911dfd8892f01115181b75974a43d1115f5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD517587b0944487770c0b7eea82d94881b
SHA18429ebb90a4c71a4b990ba778818f43d738706a1
SHA256847dd537c9b9c36cc0e0415a887c3f5d3f578bec0ee3d0ea5aee17d269d479a4
SHA512d76150f1fcbdffebaeb5b9a61652de35cde394ce81e41f3a3cf1e494dbc72bc468cf612318ac95f6b69d4a50ad745dbeb4eb506a26fdc407d994b978d50cfc70
-
C:\Users\Public\vbc.exeFilesize
979KB
MD5fc4f1b555ec348ccf814fedbf06a45cc
SHA133a666dd9b6ee57bde594d3720adba26191ca9d5
SHA2565f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae
SHA51231fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb
-
C:\Users\Public\vbc.exeFilesize
979KB
MD5fc4f1b555ec348ccf814fedbf06a45cc
SHA133a666dd9b6ee57bde594d3720adba26191ca9d5
SHA2565f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae
SHA51231fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb
-
C:\Users\Public\vbc.exeFilesize
979KB
MD5fc4f1b555ec348ccf814fedbf06a45cc
SHA133a666dd9b6ee57bde594d3720adba26191ca9d5
SHA2565f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae
SHA51231fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb
-
\Users\Public\vbc.exeFilesize
979KB
MD5fc4f1b555ec348ccf814fedbf06a45cc
SHA133a666dd9b6ee57bde594d3720adba26191ca9d5
SHA2565f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae
SHA51231fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb
-
memory/924-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/924-190-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1624-160-0x00000000026C0000-0x0000000002700000-memory.dmpFilesize
256KB
-
memory/1624-161-0x00000000026C0000-0x0000000002700000-memory.dmpFilesize
256KB
-
memory/1700-142-0x0000000000070000-0x000000000016C000-memory.dmpFilesize
1008KB
-
memory/1700-152-0x0000000007C10000-0x0000000007CC8000-memory.dmpFilesize
736KB
-
memory/1700-156-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/1700-157-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/1700-151-0x0000000000610000-0x000000000061C000-memory.dmpFilesize
48KB
-
memory/1700-150-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/1700-162-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/1700-163-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/1700-149-0x00000000004A0000-0x00000000004B4000-memory.dmpFilesize
80KB
-
memory/1700-144-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB