923b75bbec5c14b3fcbe8f29f2711fa6a32b7e3fa3407c12428ea1fe22393787

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Size

10KB
MD5

73eb1fe347f4570fa1fbcbd6b5130f54
SHA1

dc5df0f94c44ad73c16df705f042a88c21f641cc
SHA256

0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
SHA512

2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1468 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1468	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://1755848856/O__O.DOC	WINWORD.EXE

Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

552 vbc.exe
1628 vbc.exe
1388 vbc.exe
2032 vbc.exe
996 vbc.exe
984 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1468 EQNEDT32.EXE
1468 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1468 EQNEDT32.EXE

pid	process
1468	EQNEDT32.EXE
1468	EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1468	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE

pid	process
1496	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

vbc.exe

pid	process
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe
552	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 552 vbc.exe
Token: SeShutdownPrivilege 1496 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
1496 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	552	vbc.exe
Token: SeShutdownPrivilege	1496	WINWORD.EXE

pid	process
1496	WINWORD.EXE
1496	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1468 wrote to memory of 552	1468	EQNEDT32.EXE	vbc.exe
PID 1468 wrote to memory of 552	1468	EQNEDT32.EXE	vbc.exe
PID 1468 wrote to memory of 552	1468	EQNEDT32.EXE	vbc.exe
PID 1468 wrote to memory of 552	1468	EQNEDT32.EXE	vbc.exe
PID 1496 wrote to memory of 1600	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1600	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1600	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1600	1496	WINWORD.EXE	splwow64.exe
PID 552 wrote to memory of 1628	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1628	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1628	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1628	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1388	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1388	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1388	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 1388	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 2032	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 2032	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 2032	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 2032	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 996	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 996	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 996	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 996	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 984	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 984	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 984	552	vbc.exe	vbc.exe
PID 552 wrote to memory of 984	552	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1600

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1628

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1388

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2032

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:996

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D3E52F62-2E56-4480-908F-155FCE331D3F}.FSD
Filesize
128KB

MD5
3a5a850c57611444edcf7be780100f15

SHA1
643d4b360d32f4e914283d45dfd134a3019331e3

SHA256
bc2848b4ddb16a8290505874a778872d96c126687517a6ad7bf97b8104d94c28

SHA512
deaebf8c37374de328c8853d6061b458a8c8b4fdadbc9859b8df56c834f37e35ea3b3ebd6800a5c10cd4441abc1cfa534d7eb58a612271b3af62563f3bc4914a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
9e51f9d5b826f164f1a0d0f20ead5a40

SHA1
67e9831959074428418102284c4905d732147ee3

SHA256
32d20b0c3e5f005ffdcbee8dc46d38f672e392318415c8117fc726c91687ceda

SHA512
92cb28e2d50ddbd021cee5fe916c5f0455065ac767f4f38b1b4650c558810c985498ad7d00c9b6bb8b3388eec61da9864329d6f3b4d2e726c30f4d7a92778f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0DA34D07-0F4D-4319-BAB0-C13E76015C10}.FSD
Filesize
128KB

MD5
8325c813b672d689ae158428e8cecc85

SHA1
fd47b11143378d2e05aef19cad1bb0ebf6cd96ab

SHA256
8b5cbbaf0b368a3aca07a199d38e91342a8a3a9d9bf6c898feda61c8850ec292

SHA512
4a24b106473da288c46454a4e3d09ae6e8e2fbedcca743b39378338eb0fe7b7c5d6351714684ffeef051b9838dd68710d727ab3976f9385cb3d1c10d0efe5a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\O__O[1].doc
Filesize
17KB

MD5
bb305858814d868425bd5d85e202991b

SHA1
4c152743525f39a16e56f9bd15e8a0924044355d

SHA256
4da95ef6e49749b7b925c11ad25822791179a009f87ff46b3507322c0bff086a

SHA512
e908ccac56e65472fb724189012619be8a92a20e6ae731a3517b0a7203f96ecc76d0c9d4943cbc8cda6edd45a69f10d23ea268f22abf34d5d3e770ceadfe36fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72FB08F8-B0BB-490A-918C-A49E041154FE}
Filesize
128KB

MD5
4fdede0f635dc92e27f339b47d41028b

SHA1
1892afcb6c1b544c4960e6731de339a5555e4ddb

SHA256
38bb1699feeea0682c5ef899acd0e2287c17ddaa8d2d93338a2a9dd8bfe6bf0c

SHA512
4d547de25e7899bf1fdb4a0455e0a97521fe02cd9f733bf0473bd69cc5028be48e7227a4f33104b91cd587144ea31d437f9430b3dc200b635d651b18a6245294

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
25a0c4c783f3cd156d240776e12b05a5

SHA1
bb7c09444e216ba107578f4ad4d85100f7a674da

SHA256
680ffa869d7ad9fc922b901228c2f7cf311c60a0952472d8ba02c499921b989e

SHA512
517db68cb7750d8f785e61ea78bf84066f2fbf99e8e0246051eb6516446ed6d49cee8989b09b990532975933ea33296cb3860531468ad163be9e939f37fb713b

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
C:\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
\Users\Public\vbc.exe
Filesize
978KB

MD5
a0637f11f853be8f538885daccbea677

SHA1
d970b69bbc89f1246e46907e0fdbaf5392e4d4da

SHA256
180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb

SHA512
75b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc

Download Submit
memory/552-146-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/552-156-0x00000000006B0000-0x00000000006DA000-memory.dmp

Filesize
168KB

Download
memory/552-155-0x0000000007FC0000-0x000000000806E000-memory.dmp

Filesize
696KB

Download
memory/552-154-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/552-153-0x0000000004470000-0x00000000044B0000-memory.dmp

Filesize
256KB

Download
memory/552-145-0x0000000004470000-0x00000000044B0000-memory.dmp

Filesize
256KB

Download
memory/552-144-0x00000000003C0000-0x00000000004BC000-memory.dmp

Filesize
1008KB

Download
memory/1496-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1496-188-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

pid	process
552	vbc.exe
1628	vbc.exe
1388	vbc.exe
2032	vbc.exe
996	vbc.exe
984	vbc.exe