Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
OVER DUE INVOICE PAYMENT.docx
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
OVER DUE INVOICE PAYMENT.docx
Resource
win10v2004-20240611-en
General
-
Target
OVER DUE INVOICE PAYMENT.docx
-
Size
16KB
-
MD5
9f3fd4e8aa2ad81966d0c2a036d1e901
-
SHA1
80a58393acb58fcc666e56b514994d98ba3f4716
-
SHA256
cd9cf022180c8c6f6c4fb0d76476bf2e9382128d28a4686114c50448934e5381
-
SHA512
1f97f830da19d686d8a41f8be36809fbd245f8720835561730dd10bf7cbefe03f17e77df32c0d9c1333084fb598f718fec3ad69f6d7c9313a139b7faa872a7c1
-
SSDEEP
384:3oyX8glCWUs8PL8wi4OEwH8TIbE91r2fRgJY7viL6CnUaV:Yc8xv5P3DOqnYJu2vq6CnB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.artefes.com - Port:
587 - Username:
[email protected] - Password:
ArtEfes4765*+
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/464-142-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/464-141-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/464-139-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/464-136-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/464-134-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 2860 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obi23456.scrobi23456.scrpid process 316 obi23456.scr 464 obi23456.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2860 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
obi23456.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi23456.scr Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi23456.scr Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi23456.scr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obi23456.scrdescription pid process target process PID 316 set thread context of 464 316 obi23456.scr obi23456.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2188 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
obi23456.scrpid process 464 obi23456.scr 464 obi23456.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
obi23456.scrWINWORD.EXEdescription pid process Token: SeDebugPrivilege 464 obi23456.scr Token: SeShutdownPrivilege 2188 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2188 WINWORD.EXE 2188 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEobi23456.scrWINWORD.EXEdescription pid process target process PID 2860 wrote to memory of 316 2860 EQNEDT32.EXE obi23456.scr PID 2860 wrote to memory of 316 2860 EQNEDT32.EXE obi23456.scr PID 2860 wrote to memory of 316 2860 EQNEDT32.EXE obi23456.scr PID 2860 wrote to memory of 316 2860 EQNEDT32.EXE obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 316 wrote to memory of 464 316 obi23456.scr obi23456.scr PID 2188 wrote to memory of 444 2188 WINWORD.EXE splwow64.exe PID 2188 wrote to memory of 444 2188 WINWORD.EXE splwow64.exe PID 2188 wrote to memory of 444 2188 WINWORD.EXE splwow64.exe PID 2188 wrote to memory of 444 2188 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
obi23456.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi23456.scr -
outlook_win_path 1 IoCs
Processes:
obi23456.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi23456.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICE PAYMENT.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi23456.scr"C:\Users\Admin\AppData\Roaming\obi23456.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi23456.scr"C:\Users\Admin\AppData\Roaming\obi23456.scr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD531c17e133602752f8f7bf7bd73036291
SHA1e05be5e8b1d85b74feafa5143077aae6d39dfd28
SHA25650eee3ea23cef2732e224efddcacd671e3eb95624cefbe508fa73079ef643b27
SHA512af0a56ca97e902f9d5d8f85c1393f2c63bec5e0837aba35f0a2f656b7c19105b2da83ed04b38ebae2b3adff20bb370e84b3b979ebf6f60527dfeab71632f87b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51d0f4b95dc05eec3cac2ca0ed20ae9f3
SHA12bdeb3a7a4b56a05291ae0cd2cdfc374697dc9df
SHA256b4a9ae9e72d7f6305e2d83901025b04e8dc454cde3389314340eacea875807a8
SHA51218b9d7bd973c085bebe5e7b951a338ee4f8297a9e0683424c6f0abd1395da9057227ee18fc5c72ecedcc8e71cd4ef59593daff0cc9e5f647e4ec393310acafd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD5436d071993901f38e3810ed96c4c8233
SHA179810abbbb06e0f408922a572e153133692002ad
SHA2567b1500f6f62c05630a77c37a9f036fb4100c9cf96661f5267528a83b6d4fdecf
SHA512903a082ace3d666196fc5db5baacf39e2441cb0f91ae4c3636edeb0c00d134f177f10de6ba4d828f24caa8832150c067b1d8db25fb46b6cf4bd24de4261f388c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5c2f503e1fcc87e1c36450dff1d86ac64
SHA1b867a48cccf67cd277065ba5cb973d695ab63e70
SHA256ceb56d004c088bf150e4e533c0665c0851ca88f3983d757d333aac8a55e34441
SHA512f151e804bfadf12f3f6a4020b3ad46f5acf0bc5ca652d3b1d1b977f9b021e5ab07370c37d3967151de2c5ae5a58ca134a588f224c36e970e23b8d388eab757d0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9B0D68A9-9773-4604-95EE-454A4B7E62B1}.FSDFilesize
128KB
MD578b92884fdab27a6e9eedb7817177cd9
SHA1e53b24863eeb41fcc372576fb748ebe2bd028639
SHA2563b191a9e035946083e7b16577c449a1e98ed9baa956c0e92da5c5579a5e175bd
SHA512d9c72844fc26adcf3e5eb33a27d29b815bf6d0a9e979ef678742a78795c181e037c37edcc0e9a9c6943308b101054189593efc99326312d77f539dcfdcc698f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\obb[1].docFilesize
536KB
MD53f9a089317afa13a17b61d5e0f95b75e
SHA1f5129818d643fba59bf77bc2785eef2af34db679
SHA25609cc281d7242aeddd2de25d63ef16e9b8d190bd06d31928410fdaef1e5a5c351
SHA5126a73233318865bd82c9a15887421a1197febfb88070216979be9c04f97c9749dae728fd75f3c4d372f4a7c0e834750e3aac4422508bcbbc39d9ec82d9c1822c8
-
C:\Users\Admin\AppData\Local\Temp\Cab3D7D.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\{EB5E1D64-F82E-4350-8294-9E02EF987974}Filesize
128KB
MD58310b1ce80017fde26731aefedc72c46
SHA1247e03d489284995cc053a343423871b861d888b
SHA256f77e9daabd2682d2cda4b50207f72af268676231c3f49cc24b0d0ac40edf35a2
SHA51228150f83d892efea846294cb1cc0ebf752133854fdeb7c3d3ee5178c1769c07c743328fa1acdecdcee2d99f39ba6d98224bc3ec858e48ed2fd7a75ac022825f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5f29acdb510ce3103dacb988f9b7024e1
SHA1294ffd4275942f7c4c4f3c5d9f38ba6ed33ff5ec
SHA2567eb739aca2af972675d3ba8b835fdf8c2625a553010b865722c4a2c3a9b1e062
SHA5128260a9d3f0c84182671d8eeabce4bd1cd5762574207bb9514a44c491358debbdbc7a29efcef4885b21845c3c2eb4014de9102b6f9379e15b3a70ea25f175f363
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\obi23456.scrFilesize
508KB
MD5f7bdadaff67e573f145d2e8e32e32cd8
SHA1cfd1377d49e09ecfa842760dd9cc78cc17a34628
SHA256fe80eeade269ce2b6688e039296fc9e9743e24f881341adad24e220967312316
SHA51225477c0a78d20a43c6cfa7819185c680566c20e6d0c7a65ffecbddc91df9bd91310b6368b849b6f8f6688d85a2c86e3c9af1f68ec4358deb3cc94a6473d3f4c6
-
memory/316-122-0x0000000001220000-0x00000000012A6000-memory.dmpFilesize
536KB
-
memory/316-129-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/316-128-0x0000000000AB0000-0x0000000000B04000-memory.dmpFilesize
336KB
-
memory/464-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-134-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-142-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-141-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/464-132-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/464-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2188-0-0x000000002FF01000-0x000000002FF02000-memory.dmpFilesize
4KB
-
memory/2188-2-0x000000007108D000-0x0000000071098000-memory.dmpFilesize
44KB
-
memory/2188-153-0x000000007108D000-0x0000000071098000-memory.dmpFilesize
44KB
-
memory/2188-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2188-177-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2188-178-0x000000007108D000-0x0000000071098000-memory.dmpFilesize
44KB