7824023fb8fd0606c37c13e271456d5eeae5eb834f18f5b8f397c2105812da3f

Analysis

max time kernel
103s
max time network
106s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx
Size

10KB
MD5

f300f686821deba927b954a36cb74874
SHA1

1c076c17f47e2942035fcf63709aa85213c4f83d
SHA256

20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf
SHA512

7ddb21922884a405da9a865953c767eafec3ee2ea60b39de3388319cff15d74f11818e391823a42a38729bf973cb86edaee7fe503e7ed75da8d3cd728bcd0e68
SSDEEP

192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3De:SPXU/slT+LOAHkZC9q

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 1680 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
8	1680	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/31.31.31.doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1744 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1680 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1744	vbc.exe

pid	process
1680	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1680 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1680	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exepowershell.exe

pid process

1744 vbc.exe
832 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1744 vbc.exe
Token: SeDebugPrivilege 832 powershell.exe
Token: SeShutdownPrivilege 2008 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
2008 WINWORD.EXE

pid	process
2008	WINWORD.EXE

pid	process
1744	vbc.exe
832	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1744	vbc.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeShutdownPrivilege	2008	WINWORD.EXE

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1680 wrote to memory of 1744	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1744	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1744	1680	EQNEDT32.EXE	vbc.exe
PID 1680 wrote to memory of 1744	1680	EQNEDT32.EXE	vbc.exe
PID 2008 wrote to memory of 1176	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1176	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1176	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1176	2008	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 832	1744	vbc.exe	powershell.exe
PID 1744 wrote to memory of 832	1744	vbc.exe	powershell.exe
PID 1744 wrote to memory of 832	1744	vbc.exe	powershell.exe
PID 1744 wrote to memory of 832	1744	vbc.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1176

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TdPQEEr.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{39C10D5A-8A8D-400C-A8C0-F64FC5B0DA22}.FSD
Filesize
128KB

MD5
12c449709a6b6c61448e9e92aa723d21

SHA1
dc2628da37f3b517bd453c3cab0ab21a01acb634

SHA256
bbf5e593ca472974dde07a1c55b2a46fc21ce9bb2d1ff88cf5f5ec36911c937c

SHA512
6e393a511c92e3c18b7c32c49bcc1da68beb40daa2b36875b9c4fe9e0ef50696fbce6a57973e97a6a5344eeb5697c93b483fe553db7fb354aa206b907909fcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
377af2cc5d9d1c218cf7bafdd7a334d0

SHA1
693893e0be3d0381bd27c36ba261bd3e4ff29424

SHA256
7f28a6862841a811b9b6a64907f23a8166a6162f70abc02b3407ab72e7f0b13e

SHA512
cf59ad3bf508dcd2bce52fc147d405bcdf69a3111d95247e3aa207ba4922926e1301a9c61fa4bcd3e0a0d858ebb2fb15eb0b33062dd6e73af1e737412bbbb323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A056A53D-AD0D-4DF5-9106-61A5E85D1026}.FSD
Filesize
128KB

MD5
c0340c63cd00ab92a8651c3edaebfaa5

SHA1
33a2fe3f6f0b102e485ff47454301e8d1415fd68

SHA256
f8b3831178129d98cb0b1312dd416e89f20505d8ece8b4b57a3f4de3a01b57c4

SHA512
6c1c54fb5a402c78d61d8d52a8ce4944e6c4926e37877b5dd55b05da0560ae07169743dcfd8af0c5d56643f942f5d8905b8d26af5636f159131b8b9ca5ba0461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\31.31.31[1].doc
Filesize
11KB

MD5
53b7ecf8450a8d221651aafd0a799b05

SHA1
cb563241140c9f2dc9842fa777bfe3affcab639a

SHA256
caa7719f6020d911cc3e6ad542331508e22180445d7fa9206bf60193cb69d5e9

SHA512
1891caf0aea18f7a77598c663a2ad0f39649e28235af340f5db19cef4611d3c55634d689b614caef2cc146e9cbdf3dc0da27b7e1578eccab8c58e39aa1622673

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1C75ADFD-1D88-4279-8A09-C1B825D3DF34}
Filesize
128KB

MD5
52d6df970751f2395f0119dc1c909453

SHA1
e9409678054424810267e0227f89f98fcea757b5

SHA256
877554a7fd2721000ffacd7a7b973fbeaad6378b04b9e2449f29980afa682e52

SHA512
4db3b2a6d6f204059a83f98928f7ff96d1e083f29e2e588d2ba727abc05b62021655bcf9b69651fdccb21d62964d2512112ddd932560847648939af0249738e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
72B

MD5
ab23a470ff5376d604db419fb5b2bebd

SHA1
0a551a563c64e4cc85422b5d61adf5e041463eef

SHA256
1252f040391357cb272f398f38980dff24c1b917a53044cdde512602085fa5cf

SHA512
180d6e46c60496c0002fe7937b3ad13568293a0a56b0a17c020ffab9129af311d9fa3566f6dcf8b552fb2178a384f6320fb9b98cea64dff88a79370b298a5957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
32ac8e47dc55ec9a728de2e8aff2354b

SHA1
9c7049b29ee7b3f189ed317ffb45b5ee304441bb

SHA256
dd7d2e0e2a5008f34bd4f37a52f3e4d7d462e1e0a8db44967a23fe4543e73840

SHA512
85405a94f058b747a0b01b5c59c404e756717b7b8f2c8f082ab8ff69670c462301389bb831c87cfcb5e976eac7845bf5974e5d69e0411ba09f2b7c5892ad9584

Download Submit
C:\Users\Public\vbc.exe
Filesize
1003KB

MD5
c4e6210df23d8c36b5fc72a04d91bd89

SHA1
9a0e48c1fb63bc93d3c56e134f8f037c9b8292ff

SHA256
120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa

SHA512
fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0

Download Submit
C:\Users\Public\vbc.exe
Filesize
1003KB

MD5
c4e6210df23d8c36b5fc72a04d91bd89

SHA1
9a0e48c1fb63bc93d3c56e134f8f037c9b8292ff

SHA256
120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa

SHA512
fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0

Download Submit
C:\Users\Public\vbc.exe
Filesize
1003KB

MD5
c4e6210df23d8c36b5fc72a04d91bd89

SHA1
9a0e48c1fb63bc93d3c56e134f8f037c9b8292ff

SHA256
120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa

SHA512
fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0

Download Submit
\Users\Public\vbc.exe
Filesize
1003KB

MD5
c4e6210df23d8c36b5fc72a04d91bd89

SHA1
9a0e48c1fb63bc93d3c56e134f8f037c9b8292ff

SHA256
120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa

SHA512
fcc4a472ef7895386f2e84c9946f0ae0eda6e1f71f6110690bcbdd5a191d9026045962586528601b1504d117165258a9f7d7fa9ae0c92f7a016acb66b8916fa0

Download Submit
memory/832-159-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/832-160-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/832-158-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1744-142-0x0000000001070000-0x0000000001172000-memory.dmp

Filesize
1.0MB

Download
memory/1744-152-0x0000000005E00000-0x0000000005EAA000-memory.dmp

Filesize
680KB

Download
memory/1744-151-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/1744-150-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1744-149-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/1744-143-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2008-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-187-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download