Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-04-2023 14:29
Static task
static1
Behavioral task
behavioral1
Sample
S3-QTLKT220413R.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
S3-QTLKT220413R.docx
Resource
win10v2004-20230220-en
General
-
Target
S3-QTLKT220413R.docx
-
Size
10KB
-
MD5
e9bf75f68cf1cd02b4b9b7e6bcaca88d
-
SHA1
d9c326df06b90d796eb0a126c70967ab16d42c2e
-
SHA256
b59ed31e2aad9b4955f0dcc1f0e4aeef44f161a508bd408466c4495289462a6e
-
SHA512
031223688c3c18000a7d8cc91e205e7cb8e84d0946913ccec3f856f395c5d45d119b2ad9cc2d8ed438c81a96d51547d0556199c2bec565a2f94f8b8c7b28b25a
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOL5SEzBC4vNq6sM63OR:SPXuT+xXOVOVhlqH6
Malware Config
Extracted
lokibot
http://171.22.30.164/okuman/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1620 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://760759131/x......x......x.....doc WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1648 vbc.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 1620 EQNEDT32.EXE 1620 EQNEDT32.EXE 1620 EQNEDT32.EXE 1620 EQNEDT32.EXE 1620 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 364 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1648 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 364 WINWORD.EXE 364 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 1620 wrote to memory of 1648 1620 EQNEDT32.EXE vbc.exe PID 1620 wrote to memory of 1648 1620 EQNEDT32.EXE vbc.exe PID 1620 wrote to memory of 1648 1620 EQNEDT32.EXE vbc.exe PID 1620 wrote to memory of 1648 1620 EQNEDT32.EXE vbc.exe PID 364 wrote to memory of 1692 364 WINWORD.EXE splwow64.exe PID 364 wrote to memory of 1692 364 WINWORD.EXE splwow64.exe PID 364 wrote to memory of 1692 364 WINWORD.EXE splwow64.exe PID 364 wrote to memory of 1692 364 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\S3-QTLKT220413R.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDFilesize
128KB
MD5bfb187339ddc22af0943ab186c87ac58
SHA1680859facd154aae0f71dba078a5364e5fd76926
SHA256a88aaaaae58e1c75586cc98efa5a96f6fa2e3d6514d61207dd69fb101f44d10a
SHA512df6cf6d1d8b142e2f8200c88225a29087a96f691df5a6832044b6b9b1d7089b303e19ac14153748317aae7681137c809c7e0844dea80907daf978fad0ed9a306
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{692BED7F-BE94-4428-A956-03643541BD9A}.FSDFilesize
128KB
MD5858f07a26bf0870de40ca1c0ebf55682
SHA1bff962ff3545704e9573c80251a973f599ed1e4d
SHA256b571220597f88e8cc629ab80874ed7d1386e70c1480ee9132c5ac123a4622ea2
SHA512c7618fcbbca98f404e5972ddc0be8caf68760bef5f4f0c8d8c8e2b49477e6cb4570243b64541bb1eda51f46a79d732062b0a05a8c49fbb44681449722b3bc63b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD58a11188bcbff4e889c338d665b440ee2
SHA15d04e0fe86b465dfa4a9b6ca7c9ebcb5442f9e23
SHA25617266f511b3912c6a4ec1adb5c5f4821f2d9702d436c98d82e81574a9859f3af
SHA512c71f906513b9cee3d62fcb8372d003fc679d7be7df7286863f0934be6a9856744f12ef413f959b9c6c89da3c5d6c72533e8fdf7f696cd6c9e0a99b3ee499e1fa
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8E8BA6CA-0EE9-4733-BD46-36EF5AC0FD23}.FSDFilesize
128KB
MD5623b9563d556329e4eaf6b887c31f432
SHA1a91ebcda0a2164e38977dd170631284be4e15a08
SHA256f0c8c3ec53ae8e6c5bb9019d657a3e5dc21bd54cdb3d71e96cd94bf487d29ceb
SHA51209e31d0f153cbeba39c266742dc53f8796a2401d4ff205574b01170972d11e589749223004b75e6f4d53464a953c47c6802d4f55f6abf286ac520ece664bf008
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\x......x......x[1].docFilesize
22KB
MD5d157622f927399b4d6c77c4878e74cb8
SHA176a17da10cae342ced929f19a9f757c3d879faa3
SHA256df016d228624d8b2edaef3179e4c43868dda5a8562ed3240995bd313c5907cb5
SHA51293db3da6493e0fc9afb968c8efd797e59f6fe1cb918450b78c22eda5a0c6d2bce5e485149dbea71adaa60eb8bae9bec8367397045332bca894a614586a172df5
-
C:\Users\Admin\AppData\Local\Temp\{CD154BB1-CF01-4852-A090-655D0B1802C8}Filesize
128KB
MD59707352b4a5bcd91c98d50aba6d1e265
SHA1d86383caaa6b5505a80199bb0858f1d390a19a6d
SHA25602d33d2d710c8a2ea5eba67933e71e0e310fa7b9894dbec0e4fb90a566c74d7c
SHA512a169dc168bf1ac144eeb94453df16d3650fb1e06961406a678c455f322d48909ef2cd5092c8acf1e4387bcc9768d100c028b132a447285ceb84142561fdbad07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
66B
MD54424e25558d17266dc85f0eec85ab153
SHA1ad2ff019200a816344f08eec7cdd86d4ddf96109
SHA2562e19d0a7901d28d6ccc7fd55c065c471d5b1b91cb2a1eb60c97ff3277cf7bcb9
SHA51298fe3bbe111a6b04383396fbb5d4b7d6713ab4f98b37280d3b22efbb6bcfcc604f20bea084c8dfe6189c939f71f43f3e1874cc16319c3267c431f3e3a1e8dbe6
-
C:\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
C:\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
C:\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
\Users\Public\vbc.exeFilesize
195KB
MD5f76f6076382d943ab4ab1101962d8f64
SHA19c1f89d5cc86256603dcc2acb72b0cd9712f41ae
SHA256c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956
SHA512c025fb8a7338b054ae260572d64f49dba9a463ef15f4d3435f90bac67d33a599e0ab9d10466552ae1219b282591bac06bb8883eea324ca7ea0b1a9088700b990
-
memory/364-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-153-0x00000000001B0000-0x00000000001CB000-memory.dmpFilesize
108KB
-
memory/1648-161-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1648-164-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB