Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 01:26
Static task
static1
Behavioral task
behavioral1
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win10v2004-20230220-en
General
-
Target
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
-
Size
10KB
-
MD5
73eb1fe347f4570fa1fbcbd6b5130f54
-
SHA1
dc5df0f94c44ad73c16df705f042a88c21f641cc
-
SHA256
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
-
SHA512
2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1468 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://1755848856/O__O.DOC WINWORD.EXE -
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 552 vbc.exe 1628 vbc.exe 1388 vbc.exe 2032 vbc.exe 996 vbc.exe 984 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1468 EQNEDT32.EXE 1468 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
vbc.exepid process 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe 552 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 552 vbc.exe Token: SeShutdownPrivilege 1496 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1496 WINWORD.EXE 1496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1468 wrote to memory of 552 1468 EQNEDT32.EXE vbc.exe PID 1468 wrote to memory of 552 1468 EQNEDT32.EXE vbc.exe PID 1468 wrote to memory of 552 1468 EQNEDT32.EXE vbc.exe PID 1468 wrote to memory of 552 1468 EQNEDT32.EXE vbc.exe PID 1496 wrote to memory of 1600 1496 WINWORD.EXE splwow64.exe PID 1496 wrote to memory of 1600 1496 WINWORD.EXE splwow64.exe PID 1496 wrote to memory of 1600 1496 WINWORD.EXE splwow64.exe PID 1496 wrote to memory of 1600 1496 WINWORD.EXE splwow64.exe PID 552 wrote to memory of 1628 552 vbc.exe vbc.exe PID 552 wrote to memory of 1628 552 vbc.exe vbc.exe PID 552 wrote to memory of 1628 552 vbc.exe vbc.exe PID 552 wrote to memory of 1628 552 vbc.exe vbc.exe PID 552 wrote to memory of 1388 552 vbc.exe vbc.exe PID 552 wrote to memory of 1388 552 vbc.exe vbc.exe PID 552 wrote to memory of 1388 552 vbc.exe vbc.exe PID 552 wrote to memory of 1388 552 vbc.exe vbc.exe PID 552 wrote to memory of 2032 552 vbc.exe vbc.exe PID 552 wrote to memory of 2032 552 vbc.exe vbc.exe PID 552 wrote to memory of 2032 552 vbc.exe vbc.exe PID 552 wrote to memory of 2032 552 vbc.exe vbc.exe PID 552 wrote to memory of 996 552 vbc.exe vbc.exe PID 552 wrote to memory of 996 552 vbc.exe vbc.exe PID 552 wrote to memory of 996 552 vbc.exe vbc.exe PID 552 wrote to memory of 996 552 vbc.exe vbc.exe PID 552 wrote to memory of 984 552 vbc.exe vbc.exe PID 552 wrote to memory of 984 552 vbc.exe vbc.exe PID 552 wrote to memory of 984 552 vbc.exe vbc.exe PID 552 wrote to memory of 984 552 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D3E52F62-2E56-4480-908F-155FCE331D3F}.FSDFilesize
128KB
MD53a5a850c57611444edcf7be780100f15
SHA1643d4b360d32f4e914283d45dfd134a3019331e3
SHA256bc2848b4ddb16a8290505874a778872d96c126687517a6ad7bf97b8104d94c28
SHA512deaebf8c37374de328c8853d6061b458a8c8b4fdadbc9859b8df56c834f37e35ea3b3ebd6800a5c10cd4441abc1cfa534d7eb58a612271b3af62563f3bc4914a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD59e51f9d5b826f164f1a0d0f20ead5a40
SHA167e9831959074428418102284c4905d732147ee3
SHA25632d20b0c3e5f005ffdcbee8dc46d38f672e392318415c8117fc726c91687ceda
SHA51292cb28e2d50ddbd021cee5fe916c5f0455065ac767f4f38b1b4650c558810c985498ad7d00c9b6bb8b3388eec61da9864329d6f3b4d2e726c30f4d7a92778f0c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0DA34D07-0F4D-4319-BAB0-C13E76015C10}.FSDFilesize
128KB
MD58325c813b672d689ae158428e8cecc85
SHA1fd47b11143378d2e05aef19cad1bb0ebf6cd96ab
SHA2568b5cbbaf0b368a3aca07a199d38e91342a8a3a9d9bf6c898feda61c8850ec292
SHA5124a24b106473da288c46454a4e3d09ae6e8e2fbedcca743b39378338eb0fe7b7c5d6351714684ffeef051b9838dd68710d727ab3976f9385cb3d1c10d0efe5a0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\O__O[1].docFilesize
17KB
MD5bb305858814d868425bd5d85e202991b
SHA14c152743525f39a16e56f9bd15e8a0924044355d
SHA2564da95ef6e49749b7b925c11ad25822791179a009f87ff46b3507322c0bff086a
SHA512e908ccac56e65472fb724189012619be8a92a20e6ae731a3517b0a7203f96ecc76d0c9d4943cbc8cda6edd45a69f10d23ea268f22abf34d5d3e770ceadfe36fa
-
C:\Users\Admin\AppData\Local\Temp\{72FB08F8-B0BB-490A-918C-A49E041154FE}Filesize
128KB
MD54fdede0f635dc92e27f339b47d41028b
SHA11892afcb6c1b544c4960e6731de339a5555e4ddb
SHA25638bb1699feeea0682c5ef899acd0e2287c17ddaa8d2d93338a2a9dd8bfe6bf0c
SHA5124d547de25e7899bf1fdb4a0455e0a97521fe02cd9f733bf0473bd69cc5028be48e7227a4f33104b91cd587144ea31d437f9430b3dc200b635d651b18a6245294
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD525a0c4c783f3cd156d240776e12b05a5
SHA1bb7c09444e216ba107578f4ad4d85100f7a674da
SHA256680ffa869d7ad9fc922b901228c2f7cf311c60a0952472d8ba02c499921b989e
SHA512517db68cb7750d8f785e61ea78bf84066f2fbf99e8e0246051eb6516446ed6d49cee8989b09b990532975933ea33296cb3860531468ad163be9e939f37fb713b
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
C:\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
\Users\Public\vbc.exeFilesize
978KB
MD5a0637f11f853be8f538885daccbea677
SHA1d970b69bbc89f1246e46907e0fdbaf5392e4d4da
SHA256180a541d61bfa4fda318457b0f16f159671b14305b5993e13b4d63c649eed2cb
SHA51275b89af63b7a0d097c10ee61ee8c1b4f84d355c0ef8ba5d7286e9adb359692974b9cc4c486dfb0d7ad0f3cbc122d936b293af05362a356883fac70cdfbfb7afc
-
memory/552-146-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/552-156-0x00000000006B0000-0x00000000006DA000-memory.dmpFilesize
168KB
-
memory/552-155-0x0000000007FC0000-0x000000000806E000-memory.dmpFilesize
696KB
-
memory/552-154-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/552-153-0x0000000004470000-0x00000000044B0000-memory.dmpFilesize
256KB
-
memory/552-145-0x0000000004470000-0x00000000044B0000-memory.dmpFilesize
256KB
-
memory/552-144-0x00000000003C0000-0x00000000004BC000-memory.dmpFilesize
1008KB
-
memory/1496-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1496-188-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB