Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 16:35
Static task
static1
Behavioral task
behavioral1
Sample
IMG_010357.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG_010357.doc
Resource
win10v20201028
General
-
Target
IMG_010357.doc
-
Size
784KB
-
MD5
802a08275e329d68836ba4d9afe7d9ab
-
SHA1
248f795f372cb4ed8ccd3385c976131e8b31598e
-
SHA256
0a07a25107fbbaede9d4fd47e306e666fd8694535e4ca6da79d7e33569efb52e
-
SHA512
4c81b299d081ee0ac28e0ac99989c0bbb7a20de3dc660a1f91ffd86ae785a3a98ce73a25c4f0ab304def3c514d3a893de82e71c05634ab874b51cd45f32b92ea
Malware Config
Extracted
formbook
http://www.vitajwb.com/irux/
heteltht.com
transbordaquemultiplica.com
ispartakulecleaner.com
woodcutter.website
gy88api8888.com
forsagemagic.com
greenqobbler.com
piligame.com
pcbet333.com
superpuzzlegames.com
jameslearyrealestate.com
acmarketinghacks.com
world-travel.xyz
sprayfoampocatello.com
anshangbao.com
qacpilotacademy.com
aodaicali.com
aarusystems.com
potion-designs.com
bajaenvocho.com
ourwfh.com
upliftfurnitureconcepts.com
almurasilnews.com
thestillmancowboyhats.com
blessedparfum.com
brandceowd.com
dekenchar.com
leaseplein.com
riverandrailga.com
smartbandbtraders.com
www-instagramhelpcenter.com
maneinstinct.com
jennifer-jones.com
exonmobilerewardsplua.com
westgateoptometry.net
cornelldevelopment.com
grhkj.com
authenicblackculture.com
feriavirtualdelibros.com
mountresonant.life
shopcelebratory.com
juliaaiz.art
fiveminutefixers.net
limonseltzer.com
skinsworldtrade.com
xn--vhqqb70qmrhwmvnh0e.xyz
rangers3.xyz
meixia.space
xn----7sbncclroqxy.xn--p1acf
cindybakerdesigns.com
ccheapvrshop.com
ymoac.com
well-being.international
ymdycrea.net
bowlboo.com
marikajboutique.com
ckhomecare.com
meimingvip.com
dwicans-8.info
downtoearthdiner.com
nantoeas.club
mugephoto.com
bestey.com
opinnovatesmx.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1472-23-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1472-24-0x000000000041ED00-mapping.dmp formbook behavioral1/memory/1120-36-0x00000000000C0000-0x00000000000EE000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1352 EQNEDT32.EXE 8 1352 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
69577.exeAddInProcess32.exepid process 464 69577.exe 1472 AddInProcess32.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXE69577.exepid process 1352 EQNEDT32.EXE 464 69577.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
69577.exeAddInProcess32.exesvchost.exedescription pid process target process PID 464 set thread context of 1472 464 69577.exe AddInProcess32.exe PID 1472 set thread context of 1268 1472 AddInProcess32.exe Explorer.EXE PID 1472 set thread context of 1268 1472 AddInProcess32.exe Explorer.EXE PID 1120 set thread context of 1268 1120 svchost.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
69577.exeAddInProcess32.exesvchost.exepid process 464 69577.exe 464 69577.exe 1472 AddInProcess32.exe 1472 AddInProcess32.exe 1472 AddInProcess32.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
AddInProcess32.exesvchost.exepid process 1472 AddInProcess32.exe 1472 AddInProcess32.exe 1472 AddInProcess32.exe 1472 AddInProcess32.exe 1120 svchost.exe 1120 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
69577.exeAddInProcess32.exesvchost.exedescription pid process Token: SeDebugPrivilege 464 69577.exe Token: SeDebugPrivilege 1472 AddInProcess32.exe Token: SeDebugPrivilege 1120 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE 792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exeExplorer.EXEsvchost.exedescription pid process target process PID 792 wrote to memory of 1812 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1812 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1812 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1812 792 WINWORD.EXE splwow64.exe PID 1352 wrote to memory of 464 1352 EQNEDT32.EXE 69577.exe PID 1352 wrote to memory of 464 1352 EQNEDT32.EXE 69577.exe PID 1352 wrote to memory of 464 1352 EQNEDT32.EXE 69577.exe PID 1352 wrote to memory of 464 1352 EQNEDT32.EXE 69577.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 464 wrote to memory of 1472 464 69577.exe AddInProcess32.exe PID 1268 wrote to memory of 1120 1268 Explorer.EXE svchost.exe PID 1268 wrote to memory of 1120 1268 Explorer.EXE svchost.exe PID 1268 wrote to memory of 1120 1268 Explorer.EXE svchost.exe PID 1268 wrote to memory of 1120 1268 Explorer.EXE svchost.exe PID 1120 wrote to memory of 1316 1120 svchost.exe cmd.exe PID 1120 wrote to memory of 1316 1120 svchost.exe cmd.exe PID 1120 wrote to memory of 1316 1120 svchost.exe cmd.exe PID 1120 wrote to memory of 1316 1120 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_010357.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Public\69577.exeMD5
23a53bec3e0bf43ec47af722a6aac7cb
SHA1fca6e1d1690dea3911407662d8979c7cf037d754
SHA25616160e8686be9eefc11ffc8eafdabfbcda53784d95d1b747717cbb90acaa04d4
SHA512b21fdb1c78ddab75df07fb2bbc84f4d3c2061178e6370bcef6744019e1ea5c46152ce7aeb0cfa152ea8c730e53cdca23e27d97fd5e1fdad89c24483f68bcebf1
-
C:\Users\Public\69577.exeMD5
23a53bec3e0bf43ec47af722a6aac7cb
SHA1fca6e1d1690dea3911407662d8979c7cf037d754
SHA25616160e8686be9eefc11ffc8eafdabfbcda53784d95d1b747717cbb90acaa04d4
SHA512b21fdb1c78ddab75df07fb2bbc84f4d3c2061178e6370bcef6744019e1ea5c46152ce7aeb0cfa152ea8c730e53cdca23e27d97fd5e1fdad89c24483f68bcebf1
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Public\69577.exeMD5
23a53bec3e0bf43ec47af722a6aac7cb
SHA1fca6e1d1690dea3911407662d8979c7cf037d754
SHA25616160e8686be9eefc11ffc8eafdabfbcda53784d95d1b747717cbb90acaa04d4
SHA512b21fdb1c78ddab75df07fb2bbc84f4d3c2061178e6370bcef6744019e1ea5c46152ce7aeb0cfa152ea8c730e53cdca23e27d97fd5e1fdad89c24483f68bcebf1
-
memory/464-22-0x00000000041E1000-0x00000000041E2000-memory.dmpFilesize
4KB
-
memory/464-10-0x0000000000000000-mapping.dmp
-
memory/464-20-0x0000000001EE0000-0x0000000001EE1000-memory.dmpFilesize
4KB
-
memory/464-19-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/464-18-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB
-
memory/464-13-0x000000006BAA0000-0x000000006C18E000-memory.dmpFilesize
6.9MB
-
memory/464-14-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/464-16-0x00000000004B0000-0x00000000004CE000-memory.dmpFilesize
120KB
-
memory/464-17-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/792-2-0x0000000072FE1000-0x0000000072FE4000-memory.dmpFilesize
12KB
-
memory/792-3-0x0000000070A61000-0x0000000070A63000-memory.dmpFilesize
8KB
-
memory/792-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/848-8-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmpFilesize
2.5MB
-
memory/1120-38-0x0000000000590000-0x0000000000623000-memory.dmpFilesize
588KB
-
memory/1120-37-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1120-36-0x00000000000C0000-0x00000000000EE000-memory.dmpFilesize
184KB
-
memory/1120-35-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/1120-32-0x0000000000000000-mapping.dmp
-
memory/1268-31-0x0000000004F80000-0x0000000005061000-memory.dmpFilesize
900KB
-
memory/1268-29-0x0000000004120000-0x00000000041DC000-memory.dmpFilesize
752KB
-
memory/1268-39-0x0000000007310000-0x0000000007462000-memory.dmpFilesize
1.3MB
-
memory/1316-34-0x0000000000000000-mapping.dmp
-
memory/1352-7-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/1472-23-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1472-28-0x0000000000370000-0x0000000000384000-memory.dmpFilesize
80KB
-
memory/1472-30-0x00000000003B0000-0x00000000003C4000-memory.dmpFilesize
80KB
-
memory/1472-24-0x000000000041ED00-mapping.dmp
-
memory/1472-27-0x0000000000960000-0x0000000000C63000-memory.dmpFilesize
3.0MB
-
memory/1812-6-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1812-5-0x0000000000000000-mapping.dmp