Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-03-2023 11:19
Static task
static1
Behavioral task
behavioral1
Sample
20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx
Resource
win10v2004-20230221-en
General
-
Target
20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx
-
Size
10KB
-
MD5
f300f686821deba927b954a36cb74874
-
SHA1
1c076c17f47e2942035fcf63709aa85213c4f83d
-
SHA256
20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf
-
SHA512
7ddb21922884a405da9a865953c767eafec3ee2ea60b39de3388319cff15d74f11818e391823a42a38729bf973cb86edaee7fe503e7ed75da8d3cd728bcd0e68
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3De:SPXU/slT+LOAHkZC9q
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1680 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/31.31.31.doc WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1744 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1680 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2008 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepowershell.exepid process 1744 vbc.exe 832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1744 vbc.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeShutdownPrivilege 2008 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2008 WINWORD.EXE 2008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1680 wrote to memory of 1744 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1744 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1744 1680 EQNEDT32.EXE vbc.exe PID 1680 wrote to memory of 1744 1680 EQNEDT32.EXE vbc.exe PID 2008 wrote to memory of 1176 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1176 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1176 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1176 2008 WINWORD.EXE splwow64.exe PID 1744 wrote to memory of 832 1744 vbc.exe powershell.exe PID 1744 wrote to memory of 832 1744 vbc.exe powershell.exe PID 1744 wrote to memory of 832 1744 vbc.exe powershell.exe PID 1744 wrote to memory of 832 1744 vbc.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TdPQEEr.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{39C10D5A-8A8D-400C-A8C0-F64FC5B0DA22}.FSDFilesize
128KB
MD512c449709a6b6c61448e9e92aa723d21
SHA1dc2628da37f3b517bd453c3cab0ab21a01acb634
SHA256bbf5e593ca472974dde07a1c55b2a46fc21ce9bb2d1ff88cf5f5ec36911c937c
SHA5126e393a511c92e3c18b7c32c49bcc1da68beb40daa2b36875b9c4fe9e0ef50696fbce6a57973e97a6a5344eeb5697c93b483fe553db7fb354aa206b907909fcec
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5377af2cc5d9d1c218cf7bafdd7a334d0
SHA1693893e0be3d0381bd27c36ba261bd3e4ff29424
SHA2567f28a6862841a811b9b6a64907f23a8166a6162f70abc02b3407ab72e7f0b13e
SHA512cf59ad3bf508dcd2bce52fc147d405bcdf69a3111d95247e3aa207ba4922926e1301a9c61fa4bcd3e0a0d858ebb2fb15eb0b33062dd6e73af1e737412bbbb323
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A056A53D-AD0D-4DF5-9106-61A5E85D1026}.FSDFilesize
128KB
MD5c0340c63cd00ab92a8651c3edaebfaa5
SHA133a2fe3f6f0b102e485ff47454301e8d1415fd68
SHA256f8b3831178129d98cb0b1312dd416e89f20505d8ece8b4b57a3f4de3a01b57c4
SHA5126c1c54fb5a402c78d61d8d52a8ce4944e6c4926e37877b5dd55b05da0560ae07169743dcfd8af0c5d56643f942f5d8905b8d26af5636f159131b8b9ca5ba0461
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\31.31.31[1].docFilesize
11KB
MD553b7ecf8450a8d221651aafd0a799b05
SHA1cb563241140c9f2dc9842fa777bfe3affcab639a
SHA256caa7719f6020d911cc3e6ad542331508e22180445d7fa9206bf60193cb69d5e9
SHA5121891caf0aea18f7a77598c663a2ad0f39649e28235af340f5db19cef4611d3c55634d689b614caef2cc146e9cbdf3dc0da27b7e1578eccab8c58e39aa1622673
-
C:\Users\Admin\AppData\Local\Temp\{1C75ADFD-1D88-4279-8A09-C1B825D3DF34}Filesize
128KB
MD552d6df970751f2395f0119dc1c909453
SHA1e9409678054424810267e0227f89f98fcea757b5
SHA256877554a7fd2721000ffacd7a7b973fbeaad6378b04b9e2449f29980afa682e52
SHA5124db3b2a6d6f204059a83f98928f7ff96d1e083f29e2e588d2ba727abc05b62021655bcf9b69651fdccb21d62964d2512112ddd932560847648939af0249738e8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
72B
MD5ab23a470ff5376d604db419fb5b2bebd
SHA10a551a563c64e4cc85422b5d61adf5e041463eef
SHA2561252f040391357cb272f398f38980dff24c1b917a53044cdde512602085fa5cf
SHA512180d6e46c60496c0002fe7937b3ad13568293a0a56b0a17c020ffab9129af311d9fa3566f6dcf8b552fb2178a384f6320fb9b98cea64dff88a79370b298a5957
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD532ac8e47dc55ec9a728de2e8aff2354b
SHA19c7049b29ee7b3f189ed317ffb45b5ee304441bb
SHA256dd7d2e0e2a5008f34bd4f37a52f3e4d7d462e1e0a8db44967a23fe4543e73840
SHA51285405a94f058b747a0b01b5c59c404e756717b7b8f2c8f082ab8ff69670c462301389bb831c87cfcb5e976eac7845bf5974e5d69e0411ba09f2b7c5892ad9584
-
C:\Users\Public\vbc.exeFilesize
1003KB
MD5c4e6210df23d8c36b5fc72a04d91bd89
SHA19a0e48c1fb63bc93d3c56e134f8f037c9b8292ff
SHA256120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa
SHA512fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0
-
C:\Users\Public\vbc.exeFilesize
1003KB
MD5c4e6210df23d8c36b5fc72a04d91bd89
SHA19a0e48c1fb63bc93d3c56e134f8f037c9b8292ff
SHA256120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa
SHA512fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0
-
C:\Users\Public\vbc.exeFilesize
1003KB
MD5c4e6210df23d8c36b5fc72a04d91bd89
SHA19a0e48c1fb63bc93d3c56e134f8f037c9b8292ff
SHA256120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa
SHA512fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0
-
\Users\Public\vbc.exeFilesize
1003KB
MD5c4e6210df23d8c36b5fc72a04d91bd89
SHA19a0e48c1fb63bc93d3c56e134f8f037c9b8292ff
SHA256120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa
SHA512fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0
-
memory/832-159-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/832-160-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/832-158-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/1744-142-0x0000000001070000-0x0000000001172000-memory.dmpFilesize
1.0MB
-
memory/1744-152-0x0000000005E00000-0x0000000005EAA000-memory.dmpFilesize
680KB
-
memory/1744-151-0x00000000006A0000-0x00000000006AC000-memory.dmpFilesize
48KB
-
memory/1744-150-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/1744-149-0x0000000000630000-0x0000000000646000-memory.dmpFilesize
88KB
-
memory/1744-143-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/2008-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2008-187-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB