Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.docx
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
NEW ORDER.docx
Resource
win10v2004-20240611-en
General
-
Target
NEW ORDER.docx
-
Size
16KB
-
MD5
0ec4a5cbc70d9e63dc8efc2197bc03fa
-
SHA1
24715d7a38a0e3b3495d6fa7bd1164897fe36257
-
SHA256
c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
-
SHA512
cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403
-
SSDEEP
384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7
Malware Config
Extracted
formbook
4.1
bi09
fayenterprises.online
anekagaminghk.rest
mina-chan.site
theselfcarefaire.com
progym.app
cherishedtimes.space
gkrp9s016x.icu
api288-s-rtp.online
chikankari.shop
annarosellc.com
lcloud.services
aisuitability.com
sks41.com
7779c1.vip
tunasolution.click
nexbetwin.com
huatless.quest
junroptskdyued.shop
yourwellnesseq.com
zcymc.top
alabamacoastalhomesforsale.com
gemline.online
hydroshinepowerwash.com
brandpromocodes.com
soicauxsmb.com
healthcare-trends-31189.bond
qg65.top
lipinpay.com
nfrcadrvcf.com
xn--72cb0bab2pc6b3j3b.com
cb191.pro
solargridsnorthtampabay.com
bodiedbycoyaaa.com
mh-card50.online
759my.xyz
davidlorenc.com
hub2367.com
vmjpdnls.xyz
parentingsupportgroup.xyz
roofing-services-15001.bond
searchhomeshamiltonmill.com
fhermer.com
emailsports.com
t-sit.com
j1xhon.com
67657.ooo
one-business-steering.com
bt365323.com
clientsun.site
bernzahnarzt.com
evriukpostcom.xyz
plasoi.xyz
fxrxvvpc.shop
ixdye610r.xyz
wvpbuildingservices.com
fabergerobotics.com
winday.xyz
myicecreambb.com
plusmc.site
eudlt417i.xyz
rajabet123-akunvip.xyz
lubaksa.shop
baicb.com
zhaotongshi0870.top
umc.autos
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/828-148-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1048-155-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 2896 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obi72811.scrobi72811.scrpid process 1648 obi72811.scr 828 obi72811.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2896 EQNEDT32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
obi72811.scrobi72811.scrcmmon32.exedescription pid process target process PID 1648 set thread context of 828 1648 obi72811.scr obi72811.scr PID 828 set thread context of 1188 828 obi72811.scr Explorer.EXE PID 1048 set thread context of 1188 1048 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2372 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
obi72811.scrpowershell.execmmon32.exepid process 828 obi72811.scr 828 obi72811.scr 1732 powershell.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe 1048 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
obi72811.scrcmmon32.exepid process 828 obi72811.scr 828 obi72811.scr 828 obi72811.scr 1048 cmmon32.exe 1048 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
obi72811.scrpowershell.execmmon32.exeExplorer.EXEWINWORD.EXEdescription pid process Token: SeDebugPrivilege 828 obi72811.scr Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1048 cmmon32.exe Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeShutdownPrivilege 2372 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2372 WINWORD.EXE 2372 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobi72811.scrExplorer.EXEcmmon32.exedescription pid process target process PID 2896 wrote to memory of 1648 2896 EQNEDT32.EXE obi72811.scr PID 2896 wrote to memory of 1648 2896 EQNEDT32.EXE obi72811.scr PID 2896 wrote to memory of 1648 2896 EQNEDT32.EXE obi72811.scr PID 2896 wrote to memory of 1648 2896 EQNEDT32.EXE obi72811.scr PID 2372 wrote to memory of 1548 2372 WINWORD.EXE splwow64.exe PID 2372 wrote to memory of 1548 2372 WINWORD.EXE splwow64.exe PID 2372 wrote to memory of 1548 2372 WINWORD.EXE splwow64.exe PID 2372 wrote to memory of 1548 2372 WINWORD.EXE splwow64.exe PID 1648 wrote to memory of 1732 1648 obi72811.scr powershell.exe PID 1648 wrote to memory of 1732 1648 obi72811.scr powershell.exe PID 1648 wrote to memory of 1732 1648 obi72811.scr powershell.exe PID 1648 wrote to memory of 1732 1648 obi72811.scr powershell.exe PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1648 wrote to memory of 828 1648 obi72811.scr obi72811.scr PID 1188 wrote to memory of 1048 1188 Explorer.EXE cmmon32.exe PID 1188 wrote to memory of 1048 1188 Explorer.EXE cmmon32.exe PID 1188 wrote to memory of 1048 1188 Explorer.EXE cmmon32.exe PID 1188 wrote to memory of 1048 1188 Explorer.EXE cmmon32.exe PID 1048 wrote to memory of 2152 1048 cmmon32.exe cmd.exe PID 1048 wrote to memory of 2152 1048 cmmon32.exe cmd.exe PID 1048 wrote to memory of 2152 1048 cmmon32.exe cmd.exe PID 1048 wrote to memory of 2152 1048 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.docx"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi72811.scr"C:\Users\Admin\AppData\Roaming\obi72811.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\obi72811.scr"C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD5fab1b5a033a37a35139775b12422a284
SHA1248bd83dcfe83301b661329c90df40afab34c9c5
SHA256d1b1ba52fdc2be06028e229ee040ddc450061e3ea0a832b68825742d8009d407
SHA512e2314a544b6da41f93206d7cdc4399ccdc2e58931ad8c0dc5338a89425511446569ce0815e73c98c34b99eb91f73348d62ddd4a1d48b7fcd3000ee81db6f0b70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD532c3c25793320a74368e469e45f2bab7
SHA143737e111c7f6cd5a4e60d1f37642dcd7489f99d
SHA256f2e610a193316a2ad9ab6a99d8277969bb0261575177f98f4d7325ef1a4c831b
SHA5129d6346766f248d7359e1c2964e2bedac78c505ed91ab5f9d10dcc2edede5ddf4b18d9565243d94b30fccf871a5891c183a425a99aa2fb73922cb39326a59ffb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD5366cefb626a1732e36157df7ea263084
SHA13b68d0e439899e8e54a4f361cb47a00718dc1ca8
SHA2567d466418c941c144e06193ff48a1e4d795617c77c9867b0b951ea4f552e17ea4
SHA5125d1546561850f75e3959b4276f4620f5f6bdd405fa1045ed23858425d6045d920c920b6f16ff05f619d1387dbd07a02e76e0b65922670c0eae64e6e07374d7e1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD59fe0fb67fd6878df3643778e68defb7a
SHA1dfeab108ad81dc4796d3417aa86ccf2a9d8138d8
SHA25608a91205fa31a9bf11e68c23d1a18ea268e6136ca39871f61b17ad2ad10d9b70
SHA512b26d3f1e1800f46aa359f09614d2e9b924aac0f768c2477b0137cfdb89615e424174db9ecedd6bee40bdafe269d2f48d6dac405775abeba237b2eae670b11d0e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\obizz[1].docFilesize
442KB
MD55b235feb1c1b78d5277c93bd7b0c2e6e
SHA15e9bebe9b3c3b44f03eb12c9484f7e3f5749c687
SHA256ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648
SHA512a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75
-
C:\Users\Admin\AppData\Local\Temp\Cab18BE.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\{93FA5F75-7E9E-4990-95FC-8FACECEFDDB6}Filesize
128KB
MD50d9403fbe069c3f8dbd7d07bce1df27f
SHA17023cb282401a31aac8ea676a3f4e1dc2b4e6f9d
SHA2569206126d5a5dedca07d9ec576f27ba6749698125e83ae632f319d6a847eda978
SHA512a3daf1db74c51009429a7b2f17d32d3e0bd2b690cd0e8a965075a2a81e8ec17a985c60c5aeb5b259b8f1c611f451f1e8464e25972c344c3d8a75840e1220f92f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD504783cc938e075336eb6102d78eae73c
SHA18540b341347fddedbea28abf7fc6dfa134c5ccc8
SHA256d7315c3e0d52e5475dddfc5c944407212dd79104727bcfd277e56116a3cb6c08
SHA512b55658dbdd57937fde2a36352d63e9fc11850749166be3f79fa2187f361c02b7496609b73d0cffb98c88d2db485f05f262847114d922a7519c60ffb1fd87e6a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Roaming\obi72811.scrFilesize
593KB
MD5d8c91a71029ceef428740e151acf7d33
SHA1ed5da390841e9cf892db6f955c234cd8b4dc6068
SHA256968fc743550d4a7e20f7db9181a51ffbd8f2f355946cc3f4e8dd578c655d97e6
SHA5120d910d3c3bed77ec426b9fc75a273fd522592e402a3bf7ce012cc6ebf915614d50c7d9bb4a3574ff475380df1205642fda0b030010c3cce1b9641d3b358d1f81
-
memory/828-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/828-148-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1048-155-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1048-154-0x0000000000D10000-0x0000000000D1D000-memory.dmpFilesize
52KB
-
memory/1188-159-0x0000000004D70000-0x0000000004E35000-memory.dmpFilesize
788KB
-
memory/1188-153-0x00000000003A0000-0x00000000004A0000-memory.dmpFilesize
1024KB
-
memory/1188-158-0x0000000003CE0000-0x0000000003EE0000-memory.dmpFilesize
2.0MB
-
memory/1648-128-0x00000000006B0000-0x000000000073C000-memory.dmpFilesize
560KB
-
memory/1648-141-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/1648-122-0x0000000000AF0000-0x0000000000B88000-memory.dmpFilesize
608KB
-
memory/1648-142-0x0000000004FD0000-0x0000000005046000-memory.dmpFilesize
472KB
-
memory/1648-129-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/1648-140-0x0000000000510000-0x0000000000518000-memory.dmpFilesize
32KB
-
memory/2372-2-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB
-
memory/2372-156-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB
-
memory/2372-0-0x000000002F191000-0x000000002F192000-memory.dmpFilesize
4KB
-
memory/2372-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2372-190-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2372-191-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB