formbook | c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

Analysis

max time kernel
148s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.docx
Size

16KB
MD5

0ec4a5cbc70d9e63dc8efc2197bc03fa
SHA1

24715d7a38a0e3b3495d6fa7bd1164897fe36257
SHA256

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
SHA512

cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403
SSDEEP

384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7

Score

10^/10

formbook bi09 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2708-161-0x0000000000510000-0x000000000051C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2920-168-0x0000000000400000-0x000000000042F000-memory.dmp formbook
behavioral1/memory/1540-176-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

18 2384 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1216 powershell.exe
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

obi72811.scrobi72811.scr

pid process

2708 obi72811.scr
2920 obi72811.scr
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2384 EQNEDT32.EXE
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe

resource	yara_rule
behavioral1/memory/2708-161-0x0000000000510000-0x000000000051C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

resource	yara_rule
behavioral1/memory/2920-168-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1540-176-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

flow	pid	process
18	2384	EQNEDT32.EXE

pid	process
1216	powershell.exe

pid	process
2708	obi72811.scr
2920	obi72811.scr

pid	process
2384	EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

obi72811.scrobi72811.scrwlanext.exe

description	pid	process	target process
PID 2708 set thread context of 2920	2708	obi72811.scr	obi72811.scr
PID 2920 set thread context of 1356	2920	obi72811.scr	Explorer.EXE
PID 1540 set thread context of 1356	1540	wlanext.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2384 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2384	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2340 WINWORD.EXE

pid	process
2340	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

obi72811.scrpowershell.exewlanext.exe

pid	process
2920	obi72811.scr
2920	obi72811.scr
1216	powershell.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe
1540	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

obi72811.scrwlanext.exe

pid process

2920 obi72811.scr
2920 obi72811.scr
2920 obi72811.scr
1540 wlanext.exe
1540 wlanext.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

obi72811.scrpowershell.exewlanext.exeExplorer.EXEWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2920	obi72811.scr
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1540	wlanext.exe
Token: SeShutdownPrivilege	1356	Explorer.EXE
Token: SeShutdownPrivilege	1356	Explorer.EXE
Token: SeShutdownPrivilege	2340	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2340 WINWORD.EXE
2340 WINWORD.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
2340	WINWORD.EXE
2340	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EQNEDT32.EXEobi72811.scrExplorer.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 2384 wrote to memory of 2708	2384	EQNEDT32.EXE	obi72811.scr
PID 2384 wrote to memory of 2708	2384	EQNEDT32.EXE	obi72811.scr
PID 2384 wrote to memory of 2708	2384	EQNEDT32.EXE	obi72811.scr
PID 2384 wrote to memory of 2708	2384	EQNEDT32.EXE	obi72811.scr
PID 2708 wrote to memory of 1216	2708	obi72811.scr	powershell.exe
PID 2708 wrote to memory of 1216	2708	obi72811.scr	powershell.exe
PID 2708 wrote to memory of 1216	2708	obi72811.scr	powershell.exe
PID 2708 wrote to memory of 1216	2708	obi72811.scr	powershell.exe
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 2708 wrote to memory of 2920	2708	obi72811.scr	obi72811.scr
PID 1356 wrote to memory of 1540	1356	Explorer.EXE	wlanext.exe
PID 1356 wrote to memory of 1540	1356	Explorer.EXE	wlanext.exe
PID 1356 wrote to memory of 1540	1356	Explorer.EXE	wlanext.exe
PID 1356 wrote to memory of 1540	1356	Explorer.EXE	wlanext.exe
PID 2340 wrote to memory of 1828	2340	WINWORD.EXE	splwow64.exe
PID 2340 wrote to memory of 1828	2340	WINWORD.EXE	splwow64.exe
PID 2340 wrote to memory of 1828	2340	WINWORD.EXE	splwow64.exe
PID 2340 wrote to memory of 1828	2340	WINWORD.EXE	splwow64.exe
PID 1540 wrote to memory of 1420	1540	wlanext.exe	cmd.exe
PID 1540 wrote to memory of 1420	1540	wlanext.exe	cmd.exe
PID 1540 wrote to memory of 1420	1540	wlanext.exe	cmd.exe
PID 1540 wrote to memory of 1420	1540	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1828

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\obi72811.scr"
3⤵
PID:1420

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Roaming\obi72811.scr
"C:\Users\Admin\AppData\Roaming\obi72811.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi72811.scr"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Roaming\obi72811.scr
"C:\Users\Admin\AppData\Roaming\obi72811.scr"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
eeed0ef7b4109a06d092913c9a97d554

SHA1
da8edf541709eca07065af31c477883b45d7c050

SHA256
f56f488e3225f9c6f685ad075aa0393810f0e619c1ebf02d52e425e7efd38e17

SHA512
8f967899014cda191e7c286883d364fd60af9ec7a2f97abd7f73a5671226593638d7ec5e761bc99897e9742d532eac7aed978aa3d91a4104ef2fbc51552ffb99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8894c53a03882891fbe8db060f461b17

SHA1
0a8c92dfbfbc6e247dac40abf0b9c4f7274759f1

SHA256
7ac6f14f0e0d8a03b2d460485c558cf272f7a03ac0dbb689c9644f2e90d8813f

SHA512
fb8ecfb3cb8766623905bebef0df38b0268908f99433c44e5ac8d5c63055381f4d5e67eaea593cb77944e707a2879d5fc25167d5fb9c9b54abc4f42adc989b17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
534a0e461988fb702fc5e30c2bcd1ce7

SHA1
f7543dd86e07ed8cac10c5715a6bb4965dd6f31a

SHA256
6ae1cec1f318fae05c7eada0a7e6419c2d9e9f8e898d70a6211a274727cd874a

SHA512
88b942972b832f87ed18ea77024571f54a2de76cc1acfc2f2a31b3e7cf8924ae1a8cb6287f749c285e34006d2b8a1887f08331e61bf32ba5f08ef18b717dd945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
eae3375797c371521a369e94cffed15a

SHA1
83059fc9b34d9a2f7119dd4d3df144e8dad42893

SHA256
983f2bbb459578f7e384eda5ffdf05870d62c5c0164897450337ef13c49ac581

SHA512
bbaed4004ea9af6976657d74a3a749f4ad306c04d762429ef096248aee82bdb54e1643edd2af77344f691500452d7487290c3e72926951f4d38697a5ca22b64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D3598B2A-C1AB-44D6-B183-CD5922C3D785}.FSD
Filesize
128KB

MD5
af65ac826f6381053950595d046f4947

SHA1
629bf0f21e402ff06eb400d89b07e258e2e6d391

SHA256
6b2b2081a51f7709197ac17a8478e12a2c63b81af31cd544cc1bc8aad76d4f93

SHA512
52d4b6d077bbbfae992bdf42840f25e82b431bf27a13f2c301ef23e23a885c80dea4ca97a38c92c630bb9c1c2ef2e65653eb56d8add6ddd151ac8a0abc765994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
535e4cb2e09ef1f9bd896baa0b29a2b0

SHA1
e59d5e6f439055e4ee379161660d30d1a7ac09c9

SHA256
71ece786f5df7f328624433190dd55f6490d6fffe2c8cfc917c91598ff776c0a

SHA512
6032e80402ed4456550c0089e0fc94bfa2a5e01038c5c1ce362d58223bad7463eefc4b9e2518cf05681e777e9b113973b9be0d984f082e5d18924f7e93469410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FE22B4A3-108D-423B-9895-8335B5B63FD8}.FSD
Filesize
128KB

MD5
2a150c1db5ecbb2903e22e64934376bc

SHA1
f51fc5b3eaba061afdef2a23a0bfbb5014a410c1

SHA256
da2311a83af52c2f9d34c5eaf64a068ce72e0fc1af22046eae71b27600ca2bfd

SHA512
12f8384230e0c47836f775c2670a94c85e91d960b8702e4443bdca200f7d470a86f37c9e4d1ab855a55c35cefdf97b7a4abccbaa19b2a1eeb3d9671cba2f86b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046D7OWP\obizz[1].doc
Filesize
442KB

MD5
5b235feb1c1b78d5277c93bd7b0c2e6e

SHA1
5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687

SHA256
ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648

SHA512
a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BFA.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4E7B1752-4B88-4786-93A6-20FB3BB28132}
Filesize
128KB

MD5
89657179e6c8e51deea5561286995eb4

SHA1
c0385747f39caeed26f542c2c83f4ed3c11b427c

SHA256
777b2b6564ef67d03e74bead8dda3eba966a6ad60f74198546e6cc3512157368

SHA512
cbe8a7974afc745c756f56422b603760305bf566bcdca1b704ceb789b307df95bb683b2b1a42336aee93b008c1937d38b873845507a756e8c2c893c294fc8357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
a3401b9b29785712455649fbfaf06712

SHA1
2f4a91eae1621b168a2e1e8b8dcb9de0b0d1c81e

SHA256
a2e9d8959fd9125db01e052ce6de258447e063b606956a7a772bdc01ec970582

SHA512
8861f30f708c338d4e4e210e063d14dfdf966b288ebc8fac1c0443258c7aed839c6ec558a50f1f835ffc0beb5ddf966f35d3afee389d5454be1ef7416bed8466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obi72811.scr
Filesize
632KB

MD5
d476dc60d1746ee9e34f14681eafd5af

SHA1
79835bd94270bd77311e5eee68ad880c6671de4c

SHA256
0a561cc9dbba223ba3501076a6278d83681687d314cae7b1758248dc64f11c31

SHA512
3f4910485e9dbfa09c2f48bbe3f35311429860b0a058e26a881545307d4196d3e3f8830d7d744d4b24224bb28c00c783aebc3d82f92ad9d92da548a84d6686df

Download Submit
memory/1356-171-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/1356-181-0x0000000004400000-0x000000000449C000-memory.dmp

Filesize
624KB

Download
memory/1540-176-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1540-175-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/2340-2-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2340-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2340-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

Filesize
4KB

Download
memory/2340-212-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2340-211-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2340-177-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2708-144-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2708-162-0x0000000005550000-0x00000000055C6000-memory.dmp

Filesize
472KB

Download
memory/2708-161-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2708-160-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2708-150-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2708-149-0x0000000004330000-0x00000000043BE000-memory.dmp

Filesize
568KB

Download
memory/2920-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download