Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
20062024_1448_20062024_NEW ORDER.docx
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
20062024_1448_20062024_NEW ORDER.docx
Resource
win10v2004-20240508-en
General
-
Target
20062024_1448_20062024_NEW ORDER.docx
-
Size
16KB
-
MD5
0ec4a5cbc70d9e63dc8efc2197bc03fa
-
SHA1
24715d7a38a0e3b3495d6fa7bd1164897fe36257
-
SHA256
c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
-
SHA512
cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403
-
SSDEEP
384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7
Malware Config
Extracted
formbook
4.1
bi09
fayenterprises.online
anekagaminghk.rest
mina-chan.site
theselfcarefaire.com
progym.app
cherishedtimes.space
gkrp9s016x.icu
api288-s-rtp.online
chikankari.shop
annarosellc.com
lcloud.services
aisuitability.com
sks41.com
7779c1.vip
tunasolution.click
nexbetwin.com
huatless.quest
junroptskdyued.shop
yourwellnesseq.com
zcymc.top
alabamacoastalhomesforsale.com
gemline.online
hydroshinepowerwash.com
brandpromocodes.com
soicauxsmb.com
healthcare-trends-31189.bond
qg65.top
lipinpay.com
nfrcadrvcf.com
xn--72cb0bab2pc6b3j3b.com
cb191.pro
solargridsnorthtampabay.com
bodiedbycoyaaa.com
mh-card50.online
759my.xyz
davidlorenc.com
hub2367.com
vmjpdnls.xyz
parentingsupportgroup.xyz
roofing-services-15001.bond
searchhomeshamiltonmill.com
fhermer.com
emailsports.com
t-sit.com
j1xhon.com
67657.ooo
one-business-steering.com
bt365323.com
clientsun.site
bernzahnarzt.com
evriukpostcom.xyz
plasoi.xyz
fxrxvvpc.shop
ixdye610r.xyz
wvpbuildingservices.com
fabergerobotics.com
winday.xyz
myicecreambb.com
plusmc.site
eudlt417i.xyz
rajabet123-akunvip.xyz
lubaksa.shop
baicb.com
zhaotongshi0870.top
umc.autos
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/452-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/328-155-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 1744 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obi72811.scrobi72811.scrpid process 2712 obi72811.scr 452 obi72811.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1744 EQNEDT32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
obi72811.scrobi72811.scrcmd.exedescription pid process target process PID 2712 set thread context of 452 2712 obi72811.scr obi72811.scr PID 452 set thread context of 1208 452 obi72811.scr Explorer.EXE PID 328 set thread context of 1208 328 cmd.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2292 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
obi72811.scrpowershell.execmd.exepid process 452 obi72811.scr 452 obi72811.scr 708 powershell.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe 328 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
obi72811.scrcmd.exepid process 452 obi72811.scr 452 obi72811.scr 452 obi72811.scr 328 cmd.exe 328 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
obi72811.scrpowershell.execmd.exeExplorer.EXEWINWORD.EXEdescription pid process Token: SeDebugPrivilege 452 obi72811.scr Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 328 cmd.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 2292 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2292 WINWORD.EXE 2292 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEobi72811.scrExplorer.EXEWINWORD.EXEcmd.exedescription pid process target process PID 1744 wrote to memory of 2712 1744 EQNEDT32.EXE obi72811.scr PID 1744 wrote to memory of 2712 1744 EQNEDT32.EXE obi72811.scr PID 1744 wrote to memory of 2712 1744 EQNEDT32.EXE obi72811.scr PID 1744 wrote to memory of 2712 1744 EQNEDT32.EXE obi72811.scr PID 2712 wrote to memory of 708 2712 obi72811.scr powershell.exe PID 2712 wrote to memory of 708 2712 obi72811.scr powershell.exe PID 2712 wrote to memory of 708 2712 obi72811.scr powershell.exe PID 2712 wrote to memory of 708 2712 obi72811.scr powershell.exe PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 2712 wrote to memory of 452 2712 obi72811.scr obi72811.scr PID 1208 wrote to memory of 328 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 328 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 328 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 328 1208 Explorer.EXE cmd.exe PID 2292 wrote to memory of 888 2292 WINWORD.EXE splwow64.exe PID 2292 wrote to memory of 888 2292 WINWORD.EXE splwow64.exe PID 2292 wrote to memory of 888 2292 WINWORD.EXE splwow64.exe PID 2292 wrote to memory of 888 2292 WINWORD.EXE splwow64.exe PID 328 wrote to memory of 1600 328 cmd.exe cmd.exe PID 328 wrote to memory of 1600 328 cmd.exe cmd.exe PID 328 wrote to memory of 1600 328 cmd.exe cmd.exe PID 328 wrote to memory of 1600 328 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20062024_1448_20062024_NEW ORDER.docx"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi72811.scr"C:\Users\Admin\AppData\Roaming\obi72811.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\obi72811.scr"C:\Users\Admin\AppData\Roaming\obi72811.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD5d8620d80519e09a3fcb4e10275d78151
SHA1cefa8a48e6ee8c197b9a5fdc626c1d0cf5dbcd8f
SHA256b0af76657c866e92eecb7447ba6a83552e6703a73b897d993ff0983885a068bb
SHA5120f0bbd7b061e73f9564d3299e0d0ae54d9f001a8bfc84de8558e90b3f7943cf39b518ca71d47c7d078f7b2ca8bd4ca06bb05871319fd7a2b377706624472eabc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD593545d8f7eb151ac79f26cc9a86e2437
SHA131f9d49d5cb437652c4f1c7a8db6364150643231
SHA2562090c31a41e460e497718c39e64f7dd1648571b6d14b9c6a1a48c03df69e8cae
SHA51225940f2a941823807f2b3ac4fe2159984921e6407e5fb75bf99f17e73f910a74d1a8df0239cd00108eb20bce00cd57c750d50b171c60cea536309c7a4fa3bbef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD505ecb423b4e40cc6445736f14068d5c2
SHA1bdc74c4d23bd1de28cb50a44c7fb168fbaa61105
SHA2560ff27ec8efca20fdd2819f129fedd815bd78d16d3ba1f91fe9903b925120c3e8
SHA51279d4fa0339a6741e93c8f60d3c4f788f47dc073a5a2b929680e3bdfc8c1064abac5841df5ecdb3c2ae64acdba3cb0a42f06fc2ef32483166ce1446b37e23fec9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD59d3771c15977ccd1d6cef273233c5d8c
SHA1db3428f97f53a76b173c3308acfc73dd0e064900
SHA256b53ad4e66fcaf58ba83d8fa58b2c064ddf8b3f5a9321fc78b2d1a6baa5fd2d03
SHA512aefb0790f9ec3396cae3fd9b49c383f00f26abf4b22c21a39527d8f95a38a688bd5f461c0aac980ace8169d40761aa9aa8fd64c479be61a719f8a593f7c33bfe
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C9DB261F-19AE-4ABF-A993-7CBF1E199596}.FSDFilesize
128KB
MD5ab089639b456168578db12fb9695c8b9
SHA197684745b9dd511d6dd6c18c5b4b2c2a72624bec
SHA256880f1a57a83468db9784ead788051f0bacee75faa05ab8a6ba66398c03f9d9e7
SHA5122032316cf30957aad11763acdafc6463fcc1d42119db659723732edefe95815473882eb1cecab8bfc11d79d1de06d7debc24aa8a517f63a6b9247b4c1bc65516
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\obizz[1].docFilesize
442KB
MD55b235feb1c1b78d5277c93bd7b0c2e6e
SHA15e9bebe9b3c3b44f03eb12c9484f7e3f5749c687
SHA256ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648
SHA512a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75
-
C:\Users\Admin\AppData\Local\Temp\Cab1FFF.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\{AD2F8924-FCB1-483C-86BA-CF0266B7E198}Filesize
128KB
MD59cc4e99378773823936e044ae6bd113d
SHA1f7b7b537c22c1b637e3b2f329488b1ad598a3b10
SHA2560f6a7539a80820d08bc835ec170559e1a08517848b1b8123e5b7e63921db5cf1
SHA5122fd67ec9734df1c9fcda5e99068a4124d3e6c60052763597604ede62dbeac3595826ee1f18d3a99b17afa4b06a6298fdcd5874134850cf4f1f9c1da5ea7bf2fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5b6cee332000cbb1d0d62d081303b41be
SHA11b49aa20d29364375bcbb2c80f1b0ce52dde53eb
SHA25649991525662299f4ee2a52563dcafb131acfa66fef4437ad0a28a5facb4debb3
SHA5123a09709de5f710a760a0b21607b02c0938b6fdebc1107d4819d0181cd6189151a3cce64640d32ba6bbfce41a600f2751a4f516d64ed36fdf65da487663689a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Roaming\obi72811.scrFilesize
732KB
MD578a1f9ac9d0f07f86ed18c7561c06766
SHA1dff85c261f40f3534cd9c83b12f6f01238e839c1
SHA256f9858bec8a0e0f21208bc5cf989bd6d878f4cd527e23a6a1938883e71257fedc
SHA51224db7443ac438221922be6c357fa339bf87c10aa3e614c912d93e861f26d7078ecee2f384f2ce87de54a1f3c132c09693a5dd7ef3cc59f576aa38c992ef8916a
-
memory/328-155-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/328-154-0x0000000049DC0000-0x0000000049E0C000-memory.dmpFilesize
304KB
-
memory/452-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/452-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/452-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/452-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1208-159-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/1208-150-0x00000000000C0000-0x00000000001C0000-memory.dmpFilesize
1024KB
-
memory/2292-156-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB
-
memory/2292-0-0x000000002F8F1000-0x000000002F8F2000-memory.dmpFilesize
4KB
-
memory/2292-2-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB
-
memory/2292-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2292-189-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2292-190-0x0000000070B8D000-0x0000000070B98000-memory.dmpFilesize
44KB
-
memory/2712-141-0x0000000007AB0000-0x0000000007B26000-memory.dmpFilesize
472KB
-
memory/2712-140-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/2712-139-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/2712-122-0x0000000000A40000-0x0000000000AFA000-memory.dmpFilesize
744KB
-
memory/2712-129-0x0000000000310000-0x0000000000322000-memory.dmpFilesize
72KB
-
memory/2712-128-0x00000000020A0000-0x000000000212C000-memory.dmpFilesize
560KB