e4dc9cb9964c7f525c257d9a56c3e2f0774d14b0ae9f2df7b49ae1293016d6e1

Analysis

max time kernel
150s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USX16,082.10XSwift.docx
Size

10KB
MD5

6735d0c45ca69ea598bda6fdd9c2cc62
SHA1

7ef80d7b65e5c30517f1b5c8f7e1be00bfa6f461
SHA256

e4dc9cb9964c7f525c257d9a56c3e2f0774d14b0ae9f2df7b49ae1293016d6e1
SHA512

82820b67b03916b488713cb9b5cbf7f5e96ca1f8e521d565f8dd075ea96eca13d8f378cccc13cc1e5b80f424e69cdac428b73a126f9a65f37fcce175b75b0ea6
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4OU7us+1pReDnc37f0F:SPX+si10ni4OIyeDnMr8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1876 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1876	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392074340/O-OO.DOC	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1700 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1876 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1876	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1876 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1876	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

924 WINWORD.EXE

pid	process
924	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

vbc.exepowershell.exe

pid	process
1700	vbc.exe
1624	powershell.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe
1700	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1700 vbc.exe
Token: SeDebugPrivilege 1624 powershell.exe
Token: SeShutdownPrivilege 924 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

924 WINWORD.EXE
924 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1700	vbc.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	924	WINWORD.EXE

pid	process
924	WINWORD.EXE
924	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1876 wrote to memory of 1700	1876	EQNEDT32.EXE	vbc.exe
PID 1876 wrote to memory of 1700	1876	EQNEDT32.EXE	vbc.exe
PID 1876 wrote to memory of 1700	1876	EQNEDT32.EXE	vbc.exe
PID 1876 wrote to memory of 1700	1876	EQNEDT32.EXE	vbc.exe
PID 924 wrote to memory of 776	924	WINWORD.EXE	splwow64.exe
PID 924 wrote to memory of 776	924	WINWORD.EXE	splwow64.exe
PID 924 wrote to memory of 776	924	WINWORD.EXE	splwow64.exe
PID 924 wrote to memory of 776	924	WINWORD.EXE	splwow64.exe
PID 1700 wrote to memory of 1624	1700	vbc.exe	powershell.exe
PID 1700 wrote to memory of 1624	1700	vbc.exe	powershell.exe
PID 1700 wrote to memory of 1624	1700	vbc.exe	powershell.exe
PID 1700 wrote to memory of 1624	1700	vbc.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\USX16,082.10XSwift.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:776

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pfbsKVCKbOh.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{132D53B2-68CA-4D17-BA51-79FDFDB4830C}.FSD
Filesize
128KB

MD5
732ef355e026fc73df76140fb48e9062

SHA1
2899dcf58695bdee9147d35209dc49bfaa18a199

SHA256
d4936006c0717762a06984c92c130d5ede8f503411d40f3d15d7063659a91648

SHA512
aec151cea895fc1cd48194e2f027b73d66296bddecfb29798fe891525325e448bd185f243c3b0411a94dd46ac4bdacb7da8035ef85e5d1bc10eaf03cc5e6f47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{132D53B2-68CA-4D17-BA51-79FDFDB4830C}.FSD
Filesize
128KB

MD5
072399b931d2a2d8fb2324a183d9c429

SHA1
02ca67d8553807ee4f9d61d6b8a315f889d05e55

SHA256
bbf62560723d283094f35aa04d68deb7f82d7fd51bd87700219e7978b7740fe2

SHA512
fa3ebcef00195a118927bd1f972438a2a146abd2ae381991cd973c871865e5d687455ed41f4800c13aef6319ba0fc3c94dbff178ab902bd899a76eab876c73be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
8a9acd4661bf266d5dbacbca6e2283d0

SHA1
1ad8559ab117d274b79203db5bc37d51a263f54f

SHA256
347a0393a49a6bc41dcbbaa059ff5f42bcce73bc02e540445eee18c17cf569eb

SHA512
6b4e0c13a7943c4baca80d6f1482f4a673210b3323d50bb5e798d7192f90780731cba62aefc82beaf0dbca0857e5030884f4efc16c7c4e1e33c17f2a58fc3474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D1454D3E-0965-4F01-BC45-5584A74B3863}.FSD
Filesize
128KB

MD5
4d344e3da6bcff60573259d523512dd4

SHA1
53d9d66f24227598d2e5cdff117a640bf000ae55

SHA256
4a89c6154c2d8d6ef0eb4e054d2549441cee0d36d31417bfa9d34facfa474ca1

SHA512
7af485b3fa7f8445c8f3a82f223f9adec0ae00a6585b9db7699d9b510903ef09ab3673df85359e6b015e1ef22ab5bb7a9121bb15ad9eb3576a5d3b5694d21c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\O-OO[1].doc
Filesize
16KB

MD5
f5fa15de93803a87e9b2ab1a136607f9

SHA1
a0f6c055032bcc2cb547e1be9c8ca2cea992ecd4

SHA256
68b3b4b4b491482f3c44e62d6b3863b5f4aeedb9608a6c27e4eeac44f8a375e3

SHA512
00afdb4459868b2fadd2fe5a9ded9df7b290006abf109514b4cdf7e5859ff4354c9c7c54880ef8256473f4f0e463c82430917a793a832e58b4049d78e4298f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E51F4EAB-3741-465F-B33B-AC9780B7B0FC}
Filesize
128KB

MD5
8d5d6c06686d032f64112a345405c1fc

SHA1
16d7f5b32292edec5f014bf3adb8cf9951c17a5c

SHA256
7d371ba592b5ffe5f9f1ba13e5b636351ec99aa7a062c95b9265e909f7089ac3

SHA512
8eb4abe59a1c99552d3637ccfe0972704779024d249c2ccfdcd68b055d6f459eefcdd1186a0a7ab27af1820a80681b8ed57b2dc1d12c897f1e564e2b5de56346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
51B

MD5
3d053da0225a6de8047dd356469177c8

SHA1
75d3904ae93904436b3a994744ed76b6f327976e

SHA256
35a086b733b6738298dc4be90863bc0d232f20d3d8a9027935d0dafe679a5f39

SHA512
8e0f9a995e0cd23fc5300aca2c8e2a39b1015fd331e04c9c03b801132d4982473e413bedfc0703c941b06dff461911dfd8892f01115181b75974a43d1115f5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
17587b0944487770c0b7eea82d94881b

SHA1
8429ebb90a4c71a4b990ba778818f43d738706a1

SHA256
847dd537c9b9c36cc0e0415a887c3f5d3f578bec0ee3d0ea5aee17d269d479a4

SHA512
d76150f1fcbdffebaeb5b9a61652de35cde394ce81e41f3a3cf1e494dbc72bc468cf612318ac95f6b69d4a50ad745dbeb4eb506a26fdc407d994b978d50cfc70

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
C:\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
\Users\Public\vbc.exe
Filesize
979KB

MD5
fc4f1b555ec348ccf814fedbf06a45cc

SHA1
33a666dd9b6ee57bde594d3720adba26191ca9d5

SHA256
5f4426ef4ff23950b7ca635f689c0e2274a36ddb3233509e22e7a6b19d6719ae

SHA512
31fe3ffd25f5829d0a175155a4d00f061dd8235f4d5f3507d7d7fb4500b5690f553de79930aded6fe9170bf990f1979291546960a2ba1daaa62cdc102a1c69bb

Download Submit
memory/924-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/924-190-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-160-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1624-161-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1700-142-0x0000000000070000-0x000000000016C000-memory.dmp

Filesize
1008KB

Download
memory/1700-152-0x0000000007C10000-0x0000000007CC8000-memory.dmp

Filesize
736KB

Download
memory/1700-156-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1700-157-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1700-151-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1700-150-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1700-162-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1700-163-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1700-149-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/1700-144-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download