da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d

Analysis

max time kernel
101s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-03-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

POX010-240.docx
Size

10KB
MD5

84b25af93d91ad40962a0db9403cc644
SHA1

d38e907dfbe22b0e0eb7ab7ae8515eb69a7dddbc
SHA256

da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d
SHA512

ff3b085bde3ccff0592453ded391daac66819d5c8ad3035cb7c567891528ceb0c014c3265f8735cfa780de5d06c746a24f2d1504d669fbd17660f42ab855437c
SSDEEP

192:ScIMmtP1aIG/bslPL++uOw4Nl+CVWBXJC0c3qe:SPXU/slT+LOw6HkZC9h

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 552 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	552	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/bg...................................doc	WINWORD.EXE

Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

756 vbc.exe
1724 vbc.exe
1580 vbc.exe
1748 vbc.exe
1504 vbc.exe
1280 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

552 EQNEDT32.EXE
552 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
756	vbc.exe
1724	vbc.exe
1580	vbc.exe
1748	vbc.exe
1504	vbc.exe
1280	vbc.exe

pid	process
552	EQNEDT32.EXE
552	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

916 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

552 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
916	schtasks.exe

pid	process
552	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1768 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

vbc.exepowershell.exe

pid process

756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
756 vbc.exe
904 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 756 vbc.exe
Token: SeDebugPrivilege 904 powershell.exe
Token: SeShutdownPrivilege 1768 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1768 WINWORD.EXE
1768 WINWORD.EXE

pid	process
1768	WINWORD.EXE

pid	process
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
756	vbc.exe
904	powershell.exe

description	pid	process
Token: SeDebugPrivilege	756	vbc.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeShutdownPrivilege	1768	WINWORD.EXE

pid	process
1768	WINWORD.EXE
1768	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 552 wrote to memory of 756	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 756	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 756	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 756	552	EQNEDT32.EXE	vbc.exe
PID 1768 wrote to memory of 844	1768	WINWORD.EXE	splwow64.exe
PID 1768 wrote to memory of 844	1768	WINWORD.EXE	splwow64.exe
PID 1768 wrote to memory of 844	1768	WINWORD.EXE	splwow64.exe
PID 1768 wrote to memory of 844	1768	WINWORD.EXE	splwow64.exe
PID 756 wrote to memory of 904	756	vbc.exe	powershell.exe
PID 756 wrote to memory of 904	756	vbc.exe	powershell.exe
PID 756 wrote to memory of 904	756	vbc.exe	powershell.exe
PID 756 wrote to memory of 904	756	vbc.exe	powershell.exe
PID 756 wrote to memory of 916	756	vbc.exe	schtasks.exe
PID 756 wrote to memory of 916	756	vbc.exe	schtasks.exe
PID 756 wrote to memory of 916	756	vbc.exe	schtasks.exe
PID 756 wrote to memory of 916	756	vbc.exe	schtasks.exe
PID 756 wrote to memory of 1724	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1724	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1724	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1724	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1580	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1580	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1580	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1580	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1748	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1748	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1748	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1748	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1504	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1504	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1504	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1504	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1280	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1280	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1280	756	vbc.exe	vbc.exe
PID 756 wrote to memory of 1280	756	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\POX010-240.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:844

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iioqULceCJUGWS.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iioqULceCJUGWS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF9.tmp"
3⤵
- Creates scheduled task(s)
PID:916

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1724

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1580

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1748

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1504

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{28E8A8AF-8DFD-40F0-BE31-90032A989923}.FSD
Filesize
128KB

MD5
c50134d4422876a78d214167c4c50ce4

SHA1
85b7cb7ba9c23baa5b079dae81b1b9aed03b21fa

SHA256
7a0eb37d6fdd94b64a64ad7ccdc7fbb77aff0fa6fee37caf86a7eae6d209d8dd

SHA512
841618abdc9f764f12d6cfb50cf501eb1f6c97ac9dad69695984bfebcc6ff110b979e5943f85aba9dfddc818115792937f776154a1e2ed9f7e406ad33b5ebfe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
b638a146c5fac41943f2100cb366de35

SHA1
4e50800e6e975b5c46e76d8ac11334be390575ab

SHA256
d3024abfe47cd8065e5c0f0dc6f799aa56b0f36ef2e1714e9566325a862f3744

SHA512
793772ae56bd75f9b8d7013a9aad4417dd98898d5d343f541ca6f4c5314e0032b65b516683f607daf958f988d4844395c57087ce678371ea319eb5eadd7ef4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E4E51ABD-4F40-43E5-AE61-978A45D88771}.FSD
Filesize
128KB

MD5
563bc5fa0e15c0a1ab39da7919040a4e

SHA1
76c18b360c7574e3b649f17d1155b4e5b976d231

SHA256
4e9e33c971fb5f301792c8747653a605124740f323f0752c12639dfd68e80fd3

SHA512
90b160e94075ebcb8d3d9d1cd6f871e16e38133c6e635160233eb625db9ed82f9b731c818f9a9630a63937ec99a7c3d7467b0dd279f80e432dfa88d9a34537b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\bg[1].doc
Filesize
12KB

MD5
ba628c629f3472e3b57de14e3cdb05d2

SHA1
b492c03cb6824682d575a6b77e3c1c3b7755a331

SHA256
e399cdab404d5046aba55ff32346f96349d482763a3b1c633c9a8fb594f09a17

SHA512
41fd46f514437a823eef56dd83adf3e8e2f7270ca1a24734a3f639ba3f82db55c170d5056854832602d65e75f2d5772847fbd18e8f9531fc406e8aa62db63cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF9.tmp
Filesize
1KB

MD5
79798868e411b13e70ea6997052e9593

SHA1
f838bf07cde2b69cefefc57854bf5fd5d429fbd1

SHA256
b630e4415962b609bedf2ae6737dcd42d211bc6c47063236dba6648ab9b7ed43

SHA512
c7dba5b354c48f42ee749d1f8c70f146223335609a9286d33786f27d10a509f401c9c4a35467dd13eec598cccd3136ed26d7e297b98fecc79215b70abe8ed115

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F25FDF59-B2CF-488F-91B3-525C92C8CD16}
Filesize
128KB

MD5
26a8877f5dcd902e8e614d253fe0624d

SHA1
84ca48720fd213a0b6950562e900148a331903ec

SHA256
49f915f6f137bd59eeb4537e1c45cd16fec5ddf2c2dce3fbe04993f976d3dca1

SHA512
cb021c106dea01bb3a294ea4b17bcaee66b8e971a04f40679a4fa88b8b413ffa0b0575391e6e0df510cc0ddd80234285e31b9c334400c0f0741d58adec8290cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
84B

MD5
f6ba86c4321311e89c822975458c513a

SHA1
ad6a18c6038975d70e80a0f9a1a3492b8d2c3a30

SHA256
4cead7ce9aa7aaa1b5084b59ce763044784de135a7415ac01f8e694654d2c79f

SHA512
ac234cb8afa6e31cb20f6362c80d08bc50279bd9edfff859836b1be8481117b36c8b6befb6c83b1c60e51ea73449eac4b7f2e246066ae2e3f9cb8406707dcb1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
ad2222f39399510ad91576f67f54e42b

SHA1
1aea4fddf5b606ff4765d8048d0a045deaf04128

SHA256
f15f8847aa5acb64d775e2fb79fec9c1482ca1d01922e22c38daa34ee1c5c258

SHA512
23e4fe9bca3f8d7e41af61f2cd8e84bf97dda34221da244d77e508b870df31d7d9dfdbaa65cc73816e2f1bf37a003eeaea08b35ce3a65084a1d0d954528d7079

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
\Users\Public\vbc.exe
Filesize
1.3MB

MD5
fbaac522046f0b2c2ded0ba88585f68a

SHA1
70f050f44b83c47a41e94de0fd5e88a4f3ba4cf2

SHA256
85d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8

SHA512
4ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046

Download Submit
memory/756-145-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/756-163-0x0000000004420000-0x0000000004426000-memory.dmp

Filesize
24KB

Download
memory/756-164-0x0000000004F60000-0x0000000004F92000-memory.dmp

Filesize
200KB

Download
memory/756-153-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/756-146-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/756-155-0x0000000005780000-0x000000000582A000-memory.dmp

Filesize
680KB

Download
memory/756-144-0x00000000002F0000-0x0000000000442000-memory.dmp

Filesize
1.3MB

Download
memory/756-154-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/904-171-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/904-172-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/904-170-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/1768-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-199-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download