formbook | 3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx
Size

16KB
MD5

e86424648b277754b74e507d51878e71
SHA1

e86498df0eb2a8514e0d55f9a33148779bf5b66d
SHA256

3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0
SHA512

59c3c950a0f450b895b091fdf7f9664ed75124be0b7c699631b0a753bef062304151e1e58b3dfcc2032e819f339336c996482a6de94eee3e6327d24e8c51f84c
SSDEEP

384:0yXRxAxW4s8PL8wi4OEwH8TIbE91r2fR8JYbvimVmPFM:0cRM/5P3DOqnYJ6qvfVmPG

Score

10^/10

formbook btrd rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/272-135-0x0000000000400000-0x000000000042F000-memory.dmp formbook
behavioral1/memory/2716-149-0x0000000000080000-0x00000000000AF000-memory.dmp formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

11 2636 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

nelb82019.scrnelb82019.scr

pid process

1824 nelb82019.scr
272 nelb82019.scr
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2636 EQNEDT32.EXE

resource	yara_rule
behavioral1/memory/272-135-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2716-149-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

flow	pid	process
11	2636	EQNEDT32.EXE

pid	process
1824	nelb82019.scr
272	nelb82019.scr

pid	process
2636	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

nelb82019.scrnelb82019.scrraserver.exe

description	pid	process	target process
PID 1824 set thread context of 272	1824	nelb82019.scr	nelb82019.scr
PID 272 set thread context of 1208	272	nelb82019.scr	Explorer.EXE
PID 2716 set thread context of 1208	2716	raserver.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2636 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2636	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1312 WINWORD.EXE

pid	process
1312	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

nelb82019.scrraserver.exe

pid	process
272	nelb82019.scr
272	nelb82019.scr
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe
2716	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

nelb82019.scrraserver.exe

pid process

272 nelb82019.scr
272 nelb82019.scr
272 nelb82019.scr
2716 raserver.exe
2716 raserver.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

nelb82019.scrraserver.exeExplorer.EXEWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	272	nelb82019.scr
Token: SeDebugPrivilege	2716	raserver.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1312	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1312 WINWORD.EXE
1312 WINWORD.EXE

pid	process
1312	WINWORD.EXE
1312	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEnelb82019.scrExplorer.EXEraserver.exeWINWORD.EXE

description	pid	process	target process
PID 2636 wrote to memory of 1824	2636	EQNEDT32.EXE	nelb82019.scr
PID 2636 wrote to memory of 1824	2636	EQNEDT32.EXE	nelb82019.scr
PID 2636 wrote to memory of 1824	2636	EQNEDT32.EXE	nelb82019.scr
PID 2636 wrote to memory of 1824	2636	EQNEDT32.EXE	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1824 wrote to memory of 272	1824	nelb82019.scr	nelb82019.scr
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	raserver.exe
PID 2716 wrote to memory of 1076	2716	raserver.exe	cmd.exe
PID 2716 wrote to memory of 1076	2716	raserver.exe	cmd.exe
PID 2716 wrote to memory of 1076	2716	raserver.exe	cmd.exe
PID 2716 wrote to memory of 1076	2716	raserver.exe	cmd.exe
PID 1312 wrote to memory of 2500	1312	WINWORD.EXE	splwow64.exe
PID 1312 wrote to memory of 2500	1312	WINWORD.EXE	splwow64.exe
PID 1312 wrote to memory of 2500	1312	WINWORD.EXE	splwow64.exe
PID 1312 wrote to memory of 2500	1312	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2500

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\nelb82019.scr"
3⤵
PID:1076

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\nelb82019.scr
"C:\Users\Admin\AppData\Roaming\nelb82019.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\nelb82019.scr
"C:\Users\Admin\AppData\Roaming\nelb82019.scr"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
d484f81016a0c21f2881004ac3b9a5b7

SHA1
182f4a8d74ff4682533d2a39fb44d3b9d5bc87c3

SHA256
82729f693790a30c02ee52ca1465bf2dfdc2ed44f49ce7e50e51c05f8838e434

SHA512
2782fe169244301d1d1436a5bc876a56a868ae2c520eebe9e3a65fd83f502980e1d3eb937c67a375e8110a0e2e9b196fc1f240c35a0197f5753e757ffdafb9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
95eedb0ec77299c11b55ab3b653ad2ad

SHA1
1491be29f0622bf413ac07d66711011e450d3a91

SHA256
4893861581e41142fdf73f81c59229beb4c3491df309de0cfbd05f6e5e054293

SHA512
550791b1dab48187fbec5faa1281393aa70b5ee701313488d0ec1cb5c66ae87f7184ca965eaa73b49a012cc1b2ecc802a6035bd9bb3eb1dfb74f8d1d2ed7e60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cc6a79a33e93d4f63a8622ed3c846c97

SHA1
79ae3f1ad4cad1b8bd38cafb9f194ca760aa6c87

SHA256
3810a937b402271bc9faf28b7142f11f518f58137ce7c1744e98c085033e0a41

SHA512
6aad50c69768f42594d3df573e145f461325e513a20bc00c64e44ce2a82b2787d6b3e00978a4a1769cf4318553f197d19b828e2b0df53361d30c8cd25b33f685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
b168d9f611307d1840b7993c7cb4ea6b

SHA1
528ee7db14b92af82d2a959326e72ede9303fe4a

SHA256
b4d111181b6ff764f0538eaa94d52243d15e6f32a2d34b82ec3c782c91b96ae1

SHA512
bb9e4edab45b073670e18b4b7ed16a625fbfff744d8d68946745fafbf9e3e5985e980351890d01610b4521256905232e8d25d643b6912f69640ee7aa0e6eddb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
110a062d30bf55576de1fb6d9548ece0

SHA1
6f078364f247634c472262cbe53c55deb64bd31b

SHA256
beec4b2b36227b81eb73e22c180e6d3073c240758760330ba354b38ddab08c66

SHA512
6d391adcda3a4453c78f5c1493fabf1c74fdf6c0f100af16e664c47338ad495c92deb23e0274d4a442587d1ec894f5dc65809076ff5f19fc62a4fabb83884882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{EC91BB0E-CBC0-4BBF-9365-EC5CE618ADD4}.FSD
Filesize
128KB

MD5
30aebae81eb1a0d3710b91f449063976

SHA1
278af9d6708fd91313103300df4b6bc3935af3ba

SHA256
4b06efc07a1485338c2cb272376d8c836811c3e18cef2d068c660de026291ffe

SHA512
ad32aa4b7c7c0926ada766b74fbddf76dba33b37bcde2184e46710635c4ec666da8cc3a71ec10961347c57069ad0cca90a87d28666e41789448dd001816475a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\nelb[1].doc
Filesize
561KB

MD5
6b9167056af49bf702c833ae4f581ef1

SHA1
ed4886d86b8ad96a0a252190705d70e0fac9289b

SHA256
13bc94a2f39a03f509036ff58462b974c401cac0df52cce22223114f909b2f72

SHA512
4ba4fc52c2add76cb58cec62f9ae608108aa77374c63c4416f4e5c2ac0fc4bf3569f3520e1ac77994842789015c767d3bb2dd1d384221d5fa865ab54bfc51a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FD0.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5BEA2DC5-E950-4861-8DEF-132085883B45}
Filesize
128KB

MD5
a763b170dd1ce80f6516574c7e5ec59e

SHA1
3d86105b3618fac2bb6f350898e71cc12d553e5f

SHA256
5f71b59a7077f7a262fc22290e937d753f3eb32d2e52df0c1d2acc4f111354c2

SHA512
8ac2b4d0605375b0698359d6def3ba69f4fb0ff30169cb956a5d774ed2d971812f93488e5566dd75f4c6545a97980445211db221039d44e11355b9240718eb57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
2d3946735e9c4407280dae3f9240eb24

SHA1
0bc5819d4634e7ec0da3349a64b3101b5f0866b2

SHA256
073673e31db96d8f22224483b265c90ccd550208939c2020caee9f5a4aa9af57

SHA512
33691c07d96683bb5c243ae5cdc872c34ede3fa83aedaa0f246c5e7d2655e32eb704f8ab305a573198f2f4ee335fd6aa7b69f48264fbc4c4647fee6296ecadff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\nelb82019.scr
Filesize
577KB

MD5
13049d0aa3d789f8b8951726527b1713

SHA1
371c080cbf9425a1c8ad87050269e22e061c4f79

SHA256
0eb63b2464eb65ad5c2dad2881dadeb3c50da801b1b6846c07710dbd4cfb4c9a

SHA512
a899b15f7f7466eee28459cc62e6a75b1294f760cda97cbd8b8b0c5affa2e4700a3c48d2a31c3a3a2c9deb26de411a255fd9d56d6f9d98f2b40bb4f6fa17c04e

Download Submit
memory/272-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/272-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/272-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/272-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-138-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/1208-156-0x0000000006210000-0x00000000062F5000-memory.dmp

Filesize
916KB

Download
memory/1312-0-0x000000002F341000-0x000000002F342000-memory.dmp

Filesize
4KB

Download
memory/1312-2-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/1312-153-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/1312-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1312-186-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1312-187-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/1824-129-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1824-124-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1824-123-0x00000000000B0000-0x0000000000146000-memory.dmp

Filesize
600KB

Download
memory/2716-148-0x0000000000B20000-0x0000000000B3C000-memory.dmp

Filesize
112KB

Download
memory/2716-149-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download