Analysis
-
max time kernel
116s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 09:15
Static task
static1
Behavioral task
behavioral1
Sample
Quotationinmay2023.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quotationinmay2023.docx
Resource
win10v2004-20230220-en
General
-
Target
Quotationinmay2023.docx
-
Size
10KB
-
MD5
4267eaf046110e4d7670e53ccb81ecf4
-
SHA1
3f3ad83b346680ec7f9cb8a40a387b4ecfe46fbf
-
SHA256
9ea03e4c08f50db0da65d80325a9aafc79749d74b0960ae3fc435ab1541462e5
-
SHA512
19289dbc853135da0546aada0e0943fe52299770ed29eee8d8129bffed772f08d379ceca7a07eff4192f90b086fc205c1cdcc8dff6274e57c4db62316d4d87da
-
SSDEEP
192:ScIMmtPYqPC7UpG/bkpbJNOs6rdlJFtGxV3QAw+:SPXgqPCfIJNOHjJFtGxxQAb
Malware Config
Extracted
lokibot
http://171.22.30.164/mancho/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 960 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\Common\Offline\Files\http://1412838044/x/i/##################################.doc WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 908 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 960 EQNEDT32.EXE 960 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1172 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 908 vbc.exe Token: SeShutdownPrivilege 1172 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1172 WINWORD.EXE 1172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 960 wrote to memory of 908 960 EQNEDT32.EXE vbc.exe PID 960 wrote to memory of 908 960 EQNEDT32.EXE vbc.exe PID 960 wrote to memory of 908 960 EQNEDT32.EXE vbc.exe PID 960 wrote to memory of 908 960 EQNEDT32.EXE vbc.exe PID 1172 wrote to memory of 1108 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 1108 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 1108 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 1108 1172 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotationinmay2023.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{510348F4-74DE-45F1-AE44-4C0C27CF101E}.FSDFilesize
128KB
MD58bbec3031cd2b7fb259c5cbf9bfa8bfa
SHA131f77c5bef0ad31c00364552bef5cbe68c26e232
SHA25635c562977023eea3091f52f21493ab471b1ee92a8366316fd006e966a68c680e
SHA51225c03f6a703d291ce8210cbfe1b41dd14731f80f47e4a4e7d5e26223c44a344ec1dc3ba3fa18b189297c1167bb5a6f620f566e897b7d50c92bacb031b26796b9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5e7ac2a6622d91fd05cf594e584c8d1ba
SHA11def281275c0866ae7fa6e9caea31a47ff6a35fb
SHA25659a4bbd5ea9784f278920b04078d865b49edab36d1caa275c34f4e3262f81589
SHA51294354db8c6347ced2e69379a23a7467d52e7fd8a17e0ec714c5339c76e1f5b1c6d04ef42d56ec3921968941ba33121c0faa563acdf6b8c1da4c047ea6bd0e4ef
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2FB0CFDE-D49C-4B9C-9314-DBE490E4896E}.FSDFilesize
128KB
MD5f13c3c60da32da778b37ec26789b6f08
SHA10b71edda51ba6b5ebc73e3561fdaffbf260dafb7
SHA2568bde27372b95b9ad1d276507cdcb3eacddd7c22819450cf2791df86533d97912
SHA5129848745b64138333dda6d35f7f53648fa05d444d0f670dc3b335904898bb58f3e4de4c3f588a7bb4cc3dd6c101b2593d4780c15164099df619cb434e9a5884ea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QHKTFKHM\##################################[1].docFilesize
26KB
MD518418b8b5e1ee58eba592c4b23abc28b
SHA12e4c99b68f74c39586c086f97cfc4d37e8a74f9c
SHA2569acbf2ec6d4d9e5a0e0f373409bfaa540daf14a95bb5f2743a07c440f65f7a7c
SHA5127a11cc0c0f1252c7b3ca6a4f807d82931e6d989286dc4e2fd2ec69481ed48c5899bb39da179753b34810ab2c6e7b527b56bd6fe30ea0794a9809d18f24d7bb35
-
C:\Users\Admin\AppData\Local\Temp\{7BF8C7C3-CABE-4CEA-8687-451D525C8D3D}Filesize
128KB
MD52987117254bf1a8f0d6c951857637d9c
SHA1419ebed467895952aa16c54dc3aae11e6017c4b5
SHA256832e02e29e1a48a34f7ada2e0bf82f26c32014bd2cd785a7b8f44209bed1cf22
SHA512f1a80ea19354b162ae57369bd2f1ed09ee3c1a77a190cfe7ba5c91337c00f48f2ad4ce474135b6c72b5f937194563cace42b0be332be5f77da32a1afd386a7d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
87B
MD5cabdf7f7f7d8d2c323c2c9eea7c85cc9
SHA1d5fdc923ac0555711b31d83a7ca79153727b7fb6
SHA256529e3b5ba5e9e94057d4e81dac59fc47afc1d07c24886685a1528d0f6002fbcf
SHA512f2494c9498e9f26742ba79865cac01589fefb1b0d157edef1300473dce682aa2db7ffc514044ab6141a4c9e6d2093e44a8958869104f7d63c01b86ee8ebb2f4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5ccc5298e4190986094f6c0717f76aef4
SHA12b070bf1624edf19ec4c97612f502ec0a6b257a7
SHA2565f3765e0ddeca3b55c8347f45ec2fbe563651d3a4e4e53f5a553db8bdf44c09f
SHA5129dc5cdef8874eb6aeb604147556f13588fb2a683f18e1d3924c35bf16e342c4233717f2dccb39a8d7fea697166f1c6001dcd115639285f1abcc2a357b8a8b0c9
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5362fa6722c1048025b5e52135a27c3fa
SHA19ecc8c1e831fcf68331e1f7dcd1a5d572e0df543
SHA2569a2f50a963266521072bdce5439faba012ea3c822a9f6c2c62ae118875801874
SHA512404f187cb502e7967fa56dc579f6dce090c392f375d978be222603a968eed08d633ae9b264723ac0a845b0726076d71192108b4d2d78d44fac3ffa28696a7ef5
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5362fa6722c1048025b5e52135a27c3fa
SHA19ecc8c1e831fcf68331e1f7dcd1a5d572e0df543
SHA2569a2f50a963266521072bdce5439faba012ea3c822a9f6c2c62ae118875801874
SHA512404f187cb502e7967fa56dc579f6dce090c392f375d978be222603a968eed08d633ae9b264723ac0a845b0726076d71192108b4d2d78d44fac3ffa28696a7ef5
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5362fa6722c1048025b5e52135a27c3fa
SHA19ecc8c1e831fcf68331e1f7dcd1a5d572e0df543
SHA2569a2f50a963266521072bdce5439faba012ea3c822a9f6c2c62ae118875801874
SHA512404f187cb502e7967fa56dc579f6dce090c392f375d978be222603a968eed08d633ae9b264723ac0a845b0726076d71192108b4d2d78d44fac3ffa28696a7ef5
-
\Users\Public\vbc.exeFilesize
305KB
MD5362fa6722c1048025b5e52135a27c3fa
SHA19ecc8c1e831fcf68331e1f7dcd1a5d572e0df543
SHA2569a2f50a963266521072bdce5439faba012ea3c822a9f6c2c62ae118875801874
SHA512404f187cb502e7967fa56dc579f6dce090c392f375d978be222603a968eed08d633ae9b264723ac0a845b0726076d71192108b4d2d78d44fac3ffa28696a7ef5
-
\Users\Public\vbc.exeFilesize
305KB
MD5362fa6722c1048025b5e52135a27c3fa
SHA19ecc8c1e831fcf68331e1f7dcd1a5d572e0df543
SHA2569a2f50a963266521072bdce5439faba012ea3c822a9f6c2c62ae118875801874
SHA512404f187cb502e7967fa56dc579f6dce090c392f375d978be222603a968eed08d633ae9b264723ac0a845b0726076d71192108b4d2d78d44fac3ffa28696a7ef5
-
memory/908-151-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/908-156-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/908-146-0x0000000000220000-0x000000000023B000-memory.dmpFilesize
108KB
-
memory/1172-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1172-185-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB