Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
MT103-746394.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
MT103-746394.rtf
Resource
win10v2004-20240508-en
General
-
Target
MT103-746394.rtf
-
Size
465KB
-
MD5
fd8649f8d7287ef36bdcec7f9b2f98c9
-
SHA1
3e0d4305545d69aa47e741061adaf2a044d01d0d
-
SHA256
25128aab1edb1b7db3940787f0ae45722ea36b0a3e2423a155ea5618fab2af85
-
SHA512
308a4d5bbb969d34e448591e9caa1d4138ae25a2f8573d3f220de1487cb2ac3ebe08b3736d64e7d11f4cd46dbc867a2e5d5db7ceba89e2b382b74fb363863660
-
SSDEEP
6144:4wAYwAYwAYwAYwAYwAYwAYwAYwAYwAqFm4NvfB/0:T
Malware Config
Extracted
formbook
4.1
bi09
fayenterprises.online
anekagaminghk.rest
mina-chan.site
theselfcarefaire.com
progym.app
cherishedtimes.space
gkrp9s016x.icu
api288-s-rtp.online
chikankari.shop
annarosellc.com
lcloud.services
aisuitability.com
sks41.com
7779c1.vip
tunasolution.click
nexbetwin.com
huatless.quest
junroptskdyued.shop
yourwellnesseq.com
zcymc.top
alabamacoastalhomesforsale.com
gemline.online
hydroshinepowerwash.com
brandpromocodes.com
soicauxsmb.com
healthcare-trends-31189.bond
qg65.top
lipinpay.com
nfrcadrvcf.com
xn--72cb0bab2pc6b3j3b.com
cb191.pro
solargridsnorthtampabay.com
bodiedbycoyaaa.com
mh-card50.online
759my.xyz
davidlorenc.com
hub2367.com
vmjpdnls.xyz
parentingsupportgroup.xyz
roofing-services-15001.bond
searchhomeshamiltonmill.com
fhermer.com
emailsports.com
t-sit.com
j1xhon.com
67657.ooo
one-business-steering.com
bt365323.com
clientsun.site
bernzahnarzt.com
evriukpostcom.xyz
plasoi.xyz
fxrxvvpc.shop
ixdye610r.xyz
wvpbuildingservices.com
fabergerobotics.com
winday.xyz
myicecreambb.com
plusmc.site
eudlt417i.xyz
rajabet123-akunvip.xyz
lubaksa.shop
baicb.com
zhaotongshi0870.top
umc.autos
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-47-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/808-53-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 604 EQNEDT32.EXE 7 604 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
obious53209.exeobious53209.exepid process 2920 obious53209.exe 1844 obious53209.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 604 EQNEDT32.EXE 604 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
obious53209.exeobious53209.exesvchost.exedescription pid process target process PID 2920 set thread context of 1844 2920 obious53209.exe obious53209.exe PID 1844 set thread context of 1188 1844 obious53209.exe Explorer.EXE PID 808 set thread context of 1188 808 svchost.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2404 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
obious53209.exesvchost.exepid process 1844 obious53209.exe 1844 obious53209.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
obious53209.exesvchost.exepid process 1844 obious53209.exe 1844 obious53209.exe 1844 obious53209.exe 808 svchost.exe 808 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
obious53209.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1844 obious53209.exe Token: SeDebugPrivilege 808 svchost.exe Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeShutdownPrivilege 1188 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2404 WINWORD.EXE 2404 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobious53209.exeExplorer.EXEsvchost.exedescription pid process target process PID 604 wrote to memory of 2920 604 EQNEDT32.EXE obious53209.exe PID 604 wrote to memory of 2920 604 EQNEDT32.EXE obious53209.exe PID 604 wrote to memory of 2920 604 EQNEDT32.EXE obious53209.exe PID 604 wrote to memory of 2920 604 EQNEDT32.EXE obious53209.exe PID 2404 wrote to memory of 2828 2404 WINWORD.EXE splwow64.exe PID 2404 wrote to memory of 2828 2404 WINWORD.EXE splwow64.exe PID 2404 wrote to memory of 2828 2404 WINWORD.EXE splwow64.exe PID 2404 wrote to memory of 2828 2404 WINWORD.EXE splwow64.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 2920 wrote to memory of 1844 2920 obious53209.exe obious53209.exe PID 1188 wrote to memory of 808 1188 Explorer.EXE svchost.exe PID 1188 wrote to memory of 808 1188 Explorer.EXE svchost.exe PID 1188 wrote to memory of 808 1188 Explorer.EXE svchost.exe PID 1188 wrote to memory of 808 1188 Explorer.EXE svchost.exe PID 808 wrote to memory of 1808 808 svchost.exe cmd.exe PID 808 wrote to memory of 1808 808 svchost.exe cmd.exe PID 808 wrote to memory of 1808 808 svchost.exe cmd.exe PID 808 wrote to memory of 1808 808 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MT103-746394.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obious53209.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obious53209.exe"C:\Users\Admin\AppData\Roaming\obious53209.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obious53209.exe"C:\Users\Admin\AppData\Roaming\obious53209.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d6be6c3e0769cd09cef747c88af30cc2
SHA197c8535f3f8fd33c74bf8ee68d7f21cd1f7eb323
SHA2562af08c92fad4d9cd59cc212aae0098c618387e0c100fa3cb2edb2b9b2ddf62d4
SHA5122864e2da7ed4e46910f855855de04072d71aef97df3440b90add189b2df2565acf77de9293873f78b4fd4dd03bcc31bae8aac1dbaef7d6e39bdef72d7e2cc43f
-
\Users\Admin\AppData\Roaming\obious53209.exeFilesize
1.0MB
MD5cfd16b1d1a055adb68a92b7743dcb0e1
SHA126463e8ba811f0222829822d2ad12534f9f48932
SHA256afeb09eceb107f196b5d36cc9e307cadbeaea39f0d6c12f8533d531647587ce3
SHA512430162c2310280b00da45070da29a31892294796f1cd65fc93688d17d43125f23a73f8fae9ac92a3d96c6c0fb612d5c7bef1fc6acbe5285a44eb3a5590001e9d
-
memory/808-53-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/808-51-0x0000000000B00000-0x0000000000B08000-memory.dmpFilesize
32KB
-
memory/1188-50-0x0000000000360000-0x0000000000460000-memory.dmpFilesize
1024KB
-
memory/1188-55-0x0000000007520000-0x00000000076AA000-memory.dmpFilesize
1.5MB
-
memory/1844-47-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1844-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1844-44-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1844-43-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2404-0-0x000000002F7C1000-0x000000002F7C2000-memory.dmpFilesize
4KB
-
memory/2404-52-0x00000000714BD000-0x00000000714C8000-memory.dmpFilesize
44KB
-
memory/2404-2-0x00000000714BD000-0x00000000714C8000-memory.dmpFilesize
44KB
-
memory/2404-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2404-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2920-41-0x00000000048D0000-0x0000000004946000-memory.dmpFilesize
472KB
-
memory/2920-40-0x00000000006A0000-0x00000000006AC000-memory.dmpFilesize
48KB
-
memory/2920-38-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/2920-33-0x00000000013C0000-0x00000000014CC000-memory.dmpFilesize
1.0MB