33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Transfer (103) RTO1490230648234.docx
Size

10KB
MD5

90612ab017d9b62b0845de6b196a10f5
SHA1

679287fd3b0389e47cced0fca528b3bb0bbe94c6
SHA256

33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c
SHA512

ee6395170cf4187379df05f1beab7449af8e37109a3524b4f89f0dcadc1ecea1515c8e31847ac93711f82118b86403335bd0bc58cb848bc7461b724821d5fa28
SSDEEP

192:ScIMmtP1aIG/bslPL++uOmlvzl+CVWBXJC0c325:SPXU/slT+LOQHkZC96

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1900 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1900	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221450129/wu.......................wu...................doc	WINWORD.EXE

Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1988 vbc.exe
1784 vbc.exe
1684 vbc.exe
1896 vbc.exe
560 vbc.exe
1900 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1900 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1900	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1692 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1900 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1692	schtasks.exe

pid	process
1900	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

928 WINWORD.EXE

pid	process
928	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

vbc.exepowershell.exe

pid	process
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1988	vbc.exe
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exepowershell.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1988 vbc.exe
Token: SeDebugPrivilege 1044 powershell.exe
Token: SeShutdownPrivilege 928 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

928 WINWORD.EXE
928 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1988	vbc.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeShutdownPrivilege	928	WINWORD.EXE

pid	process
928	WINWORD.EXE
928	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1900 wrote to memory of 1988	1900	EQNEDT32.EXE	vbc.exe
PID 1900 wrote to memory of 1988	1900	EQNEDT32.EXE	vbc.exe
PID 1900 wrote to memory of 1988	1900	EQNEDT32.EXE	vbc.exe
PID 1900 wrote to memory of 1988	1900	EQNEDT32.EXE	vbc.exe
PID 928 wrote to memory of 2024	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 2024	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 2024	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 2024	928	WINWORD.EXE	splwow64.exe
PID 1988 wrote to memory of 1044	1988	vbc.exe	powershell.exe
PID 1988 wrote to memory of 1044	1988	vbc.exe	powershell.exe
PID 1988 wrote to memory of 1044	1988	vbc.exe	powershell.exe
PID 1988 wrote to memory of 1044	1988	vbc.exe	powershell.exe
PID 1988 wrote to memory of 1692	1988	vbc.exe	schtasks.exe
PID 1988 wrote to memory of 1692	1988	vbc.exe	schtasks.exe
PID 1988 wrote to memory of 1692	1988	vbc.exe	schtasks.exe
PID 1988 wrote to memory of 1692	1988	vbc.exe	schtasks.exe
PID 1988 wrote to memory of 1784	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1784	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1784	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1784	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1684	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1684	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1684	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1684	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 560	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 560	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 560	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 560	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1896	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1896	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1896	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1896	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1900	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1900	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1900	1988	vbc.exe	vbc.exe
PID 1988 wrote to memory of 1900	1988	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Transfer (103) RTO1490230648234.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2024

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\keRXZQSqL.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keRXZQSqL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E81.tmp"
3⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1784

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1684

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:560

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1900

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F7422048-931E-4DBF-8EDB-DC54A0AD6B31}.FSD
Filesize
128KB

MD5
3cf9b2c702e1c545d24369d7b468287a

SHA1
8c67d84b78a49c119e8ca51827da2bca0241593f

SHA256
95019a8546dbc042c59525c8948c033d7e559212a351d43e600222f1e5f084d4

SHA512
c25f982f4cf8cdfb0f20b7418eeb6f8de74c7c9488692255188d878fc452d1c2bb5f3d5ded3de07a3db3c6e589953ee92495ae85d91825e1618958adb87c7831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
3fc9aae2c1a474eb289f8bcb40a0771f

SHA1
09b8cce0380fc36208a21ee587412d61a8934165

SHA256
86a0e04c02cb44dd9148a134a8ff6d26f15b7a9ee053da5d437dcc82464d0bc3

SHA512
0fd6da87946ab4c746d7a0d1ee4c9e850273a37b6a3c6ea830dc0d964f28a877c2ff824f8dca4a98a44d118e1ed2aa7481e5fed4dfe4ba309eb86b800ce61815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6F4F29A7-106B-43A4-BF8A-4FBE23B2F077}.FSD
Filesize
128KB

MD5
137657c544cc580efef8be98488ed40e

SHA1
02e5d33b8d21ce1116606cec94fa78fffedc83b8

SHA256
203608fd6fa4a46665d02ec2bf750ac89b90352c47b00d743fb58c87b3ac164a

SHA512
048c0b06e0b7c51ff0714894b46be3ed85a36819a62a7cdeab5ad4380af5b868a3d4edb7fa7970bb4e73a269a1df913009dce4bed15aa5aa033aab42dc6a0a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50826683.doc
Filesize
14KB

MD5
e8597e58b548398887143df2e686e75a

SHA1
2e2ae49625da9c486b33679c2b670d3ed91fe264

SHA256
ff8a98f618cc568b85dce1bed031b10686572fe0a2ebee71697d8e27c15a27ee

SHA512
550aa1272da29c7236a1d8a1c304b2d95fe19d35c88a5a59ce194bc60ad74c5946e6ec1df2faf13d3c6aefe3d3beab1996a559dbdeaa2bea514c23629a0ace02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E81.tmp
Filesize
1KB

MD5
e0e8dc996a5924a18634547b2f271e00

SHA1
91124ed07585d8ccb7e0b4f53d26d18d12f8c2c0

SHA256
e9d8d8be849447dd2ea6c31eeeb1968679fefca3e3a795784cdc6b5ea17b657b

SHA512
00cb7e8decc92936f100e41680412dafb094197015b204a52872f2e1277abaf4bcfa6feed1babc99955f302e6a206bb84dfc2174c2596bc25f5c0282a3fa9262

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0A434DE3-168D-444A-8680-48D15AF348A3}
Filesize
128KB

MD5
4439f4e74f057fdd8c43e56cf8c75f82

SHA1
23b8b168197747a09b52b6cd4d39ffef4900a5ad

SHA256
45204121a5af61471b329c0250aa6ad13a0250c561fbdd6115e8b14fe0a46348

SHA512
a20a8d47dbbd983a944c82db07543d34eaaae021f7ed4a088f30474e6cf45cc956f894cd03716b701782d5f36c60d9458fa6bc2f55d13eba2b9b15636516c782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
9075f66a32ead3100be296f017795533

SHA1
bcdbd37b278cd0bc7101de9748a44b2e7e967a8f

SHA256
8f6faf6e5197860cd817cdde761679dea73a20aaae34c72a147462fa5db137aa

SHA512
0ce7b7b57b17368635a50c3d36e926a85de82c6fdac8cf818b30c6fe48d9d529a13168061fbe387c50745ab480ac7cf96780865ff9ce6f73869a82010e1be40d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
1fb0cd15b8150e5dfb87c8c78e679612

SHA1
c53df088adbdc3f46e6a740a6ef5a856b74d252d

SHA256
64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

SHA512
aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

Download Submit
memory/928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/928-194-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1044-166-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1044-167-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1988-158-0x0000000004CF0000-0x0000000004D22000-memory.dmp

Filesize
200KB

Download
memory/1988-142-0x00000000003C0000-0x00000000004D8000-memory.dmp

Filesize
1.1MB

Download
memory/1988-152-0x0000000005910000-0x00000000059BC000-memory.dmp

Filesize
688KB

Download
memory/1988-151-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1988-143-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1988-150-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1988-149-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download

pid	process
1988	vbc.exe
1784	vbc.exe
1684	vbc.exe
1896	vbc.exe
560	vbc.exe
1900	vbc.exe