08d5e1d19cd6c2d1d0cd69b4573702bcbd7ebb97835a9d4769fb4dc12a564be1

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shipping documents.docx
Size

10KB
MD5

38bde1f71eff4a0b7d396fc4560b921a
SHA1

b7c1e4fdfec691fc11832480cca239d567b5b22c
SHA256

08d5e1d19cd6c2d1d0cd69b4573702bcbd7ebb97835a9d4769fb4dc12a564be1
SHA512

a484e8020d8fd46575814230ffab6cdbc1f968e35a9b037176f05c7defaede4a4b31eeedcd94418a961dbd8ec99f488fc8f88bad8bc1e911290a55d6eafd5f7b
SSDEEP

192:ScIMmtP1aIG/bslPL++uOdVDl+CVWBXJC0c3Fe:SPXU/slT+LOdVHkZC94

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1360 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1360	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392117348/nc..........................doc	WINWORD.EXE

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation vbc.exe
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1876 vbc.exe
1968 vbc.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEcolorcpl.exe

pid process

1360 EQNEDT32.EXE
1360 EQNEDT32.EXE
1216 colorcpl.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	vbc.exe

pid	process
1876	vbc.exe
1968	vbc.exe

pid	process
1360	EQNEDT32.EXE
1360	EQNEDT32.EXE
1216	colorcpl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execolorcpl.exe

description	pid	process	target process
PID 1876 set thread context of 1968	1876	vbc.exe	vbc.exe
PID 1968 set thread context of 1240	1968	vbc.exe	Explorer.EXE
PID 1216 set thread context of 1240	1216	colorcpl.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1360 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1360	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEcolorcpl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE

pid	process
1088	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

vbc.execolorcpl.exe

pid	process
1968	vbc.exe
1968	vbc.exe
1968	vbc.exe
1968	vbc.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe
1216	colorcpl.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.execolorcpl.exe

pid process

1968 vbc.exe
1968 vbc.exe
1968 vbc.exe
1216 colorcpl.exe
1216 colorcpl.exe
1216 colorcpl.exe
1216 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.execolorcpl.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1968 vbc.exe
Token: SeDebugPrivilege 1216 colorcpl.exe
Token: SeShutdownPrivilege 1240 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE
1088 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1968	vbc.exe
Token: SeDebugPrivilege	1216	colorcpl.exe
Token: SeShutdownPrivilege	1240	Explorer.EXE

pid	process
1088	WINWORD.EXE
1088	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1360 wrote to memory of 1876	1360	EQNEDT32.EXE	vbc.exe
PID 1360 wrote to memory of 1876	1360	EQNEDT32.EXE	vbc.exe
PID 1360 wrote to memory of 1876	1360	EQNEDT32.EXE	vbc.exe
PID 1360 wrote to memory of 1876	1360	EQNEDT32.EXE	vbc.exe
PID 1088 wrote to memory of 664	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 664	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 664	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 664	1088	WINWORD.EXE	splwow64.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1876 wrote to memory of 1968	1876	vbc.exe	vbc.exe
PID 1240 wrote to memory of 1216	1240	Explorer.EXE	colorcpl.exe
PID 1240 wrote to memory of 1216	1240	Explorer.EXE	colorcpl.exe
PID 1240 wrote to memory of 1216	1240	Explorer.EXE	colorcpl.exe
PID 1240 wrote to memory of 1216	1240	Explorer.EXE	colorcpl.exe
PID 1216 wrote to memory of 1152	1216	colorcpl.exe	Firefox.exe
PID 1216 wrote to memory of 1152	1216	colorcpl.exe	Firefox.exe
PID 1216 wrote to memory of 1152	1216	colorcpl.exe	Firefox.exe
PID 1216 wrote to memory of 1152	1216	colorcpl.exe	Firefox.exe
PID 1216 wrote to memory of 1152	1216	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Shipping documents.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:664

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1152

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{61604CA6-71AE-4687-A7F7-2F4FB98822F6}.FSD
Filesize
128KB

MD5
84570d66b46dd54990e1189f67f8fbff

SHA1
df86cf9e8b89195a4812c7de000602020af2c221

SHA256
31e9c153fec1ba8a1741c249a4205a6490e6b63975efa35a5b0302c91df13348

SHA512
55b5c4789e1b842ddf1d6d715649640bcdd5fdd1ca70887366314ec30590e4d653fd084782eb2dee19f339c5cc3bf1dddcc36a74a7231662fbe10fc29e295be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
d9e2732adc9f07913cdda3e04fc0dfae

SHA1
37b3096d6c99afb2942359fe936266b93d0c2218

SHA256
81eb9059764eb5ac74809fdf0493f055ac52c266e3b62e0ec88119c8868ee077

SHA512
f66ef3e6a11d900b4167bb8d62c7c953c623fa5cdc2ca9605c30f2c0d10cd005da5d2e56caa2cb2834ea06456e155949eeacc8eab85be24cd022f7daa8e5b85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
9f94f596e8de71a572fd5572bd621b44

SHA1
18411d6fbaa1ce6f7379e2e5581d6ec61200fa4b

SHA256
71c459f6f3827ab6ef8be2870d2542832e7b6dc3bf2a2e00d71dc236118ef8d3

SHA512
b5de14a44fbc81293c45b09be89d63647a3558016f090715b41b308f32ea0cbd1c1fbc825262bdaff3a8f14180bc54e947d8146fbe5ff5d5e9f66cd16fe009d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{CBB23EE5-6B2F-4EF3-8990-FE6F8CD90F90}.FSD
Filesize
128KB

MD5
f3022fe9a5e550bd36a0d6fdf614b974

SHA1
028687341941f51101931e24f2d58e9468261aa0

SHA256
4f31031ae20b44d2ba65438d832a11ed67db14f390c402b4cc1d99266d02977a

SHA512
4c069e8e03bb060b3b5b368a5b0a7daa6452f2ae8f7f7521dfa66245c9e5b3e689556292fbe17869d4558a9140fd277ed824ede9a52e74651d08704eab749028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\nc[1].doc
Filesize
13KB

MD5
c20168bf518eb6c71c48331321a1dec3

SHA1
cd4e0a100336c0f915a591358f41c08a405ac3fe

SHA256
bcf4cec92fe9362106d55abfcb0a186f23607c8a28a7499183c9cd3f260de969

SHA512
08097fe409cd06ff7ec19f577632128383db128d62b577c6437083b7dc6939d134a92bdd8dad4d3c425247506e3f02947aa94f63ddcec0ecaa4df771833716de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhjdbhv.zip
Filesize
465KB

MD5
9e480b43cbe052e9ab25a0b982132e4d

SHA1
511ed863e48b8755e43b093238b923339c1bf846

SHA256
d76c2b3b27f279cbaabaa2d53c93e4bb7f2d8336e5aff7c74d7a16a2dbfbfb1c

SHA512
92a2753d125fec5a77945a1724dd85d07fd672583666029e313903584cf8e872fae9f3bb1db00cb9cde747edd4e3e95c8ffc3aa2867ce9212504d557e2adc8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A205C821-7FBB-41DB-B2E7-C437846B5612}
Filesize
128KB

MD5
912f651f6e967c702e299b906fa20e2a

SHA1
c08bcc77fb9766704fa916a2623be38156a8cc29

SHA256
5507630c2a32cccdf78c3f4a6f0481f17171c4f4bb0c95f4de75baa6fb7a5f69

SHA512
eb2bf68a3f2bb008af9f077228f0442d24c0fec7d9456e4e6d645501d3a248959c10ce880a7c44812f40c789088deb107b6c996205880eef6e5dd83c6cfe4ad6

Download Submit
C:\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
C:\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
C:\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
C:\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
890KB

MD5
8402a6aa76d7787ff03943dd129e3d83

SHA1
895338cb761d62930ca93918011fd2cd33d5b30c

SHA256
49ff99d5b24f4f7d5a8ea175f35a6548c74b04e5c621c60121b5088dab19b4eb

SHA512
39bbe90385be35492825929296aae771fb4afb00a1f6a48f0e4ec17bc1097c3a32cea3b22033116c82695e66acbd6c847483a8da21e7302240467b58e39169ea

Download Submit
\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
\Users\Public\vbc.exe
Filesize
878KB

MD5
818e534443d06e269fa8bb04fa647a05

SHA1
63754344896e4ad63da5c253d5a297666609878f

SHA256
a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

SHA512
5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

Download Submit
memory/1088-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1216-221-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/1216-174-0x0000000001E60000-0x0000000001EEF000-memory.dmp

Filesize
572KB

Download
memory/1216-172-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/1216-171-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1216-170-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/1216-169-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/1240-168-0x0000000007110000-0x000000000721D000-memory.dmp

Filesize
1.1MB

Download
memory/1240-173-0x0000000003920000-0x0000000003B20000-memory.dmp

Filesize
2.0MB

Download
memory/1240-222-0x0000000003E20000-0x0000000003ED2000-memory.dmp

Filesize
712KB

Download
memory/1240-178-0x0000000003E20000-0x0000000003ED2000-memory.dmp

Filesize
712KB

Download
memory/1876-156-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1876-154-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1876-144-0x0000000000A90000-0x0000000000B72000-memory.dmp

Filesize
904KB

Download
memory/1876-145-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1876-146-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1876-158-0x00000000021C0000-0x00000000021F8000-memory.dmp

Filesize
224KB

Download
memory/1876-157-0x0000000005C30000-0x0000000005CE0000-memory.dmp

Filesize
704KB

Download
memory/1876-147-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1876-155-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1968-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-166-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/1968-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-165-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/1968-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download