Analysis
-
max time kernel
300s -
max time network
270s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 10:25
Static task
static1
Behavioral task
behavioral1
Sample
8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf
Resource
win10v20210408
General
-
Target
8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf
-
Size
49KB
-
MD5
1e7bc879d7960afaa08148c635ae534f
-
SHA1
e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac
-
SHA256
8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e
-
SHA512
87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366
Malware Config
Extracted
formbook
4.1
http://www.containerflippers.com/np0c/
spartansurebets.com
threelakestradingco.com
metaspace.global
zjenbao.com
directlyincluded.press
peterchadri.com
learnhousebreaking.com
wonobattle.online
leadate.com
shebafarmscali.com
top4thejob.online
awakeyourfaith.com
bedford-st.com
lolwhats.com
cucurumbel.com
lokalbazaar.com
matter.pro
eastcountyanimalrescue.com
musesgirl.com
noordinarydairy.com
saigonstar2.com
farmacias-aranda.com
fjzzck.com
createandelevate.solutions
australiavapeoil.com
imperfectlymassabella.com
criminalmindeddesign.com
silverstoneca.com
scotlandpropertygroup.com
3dvbuild.com
privatebeautysuites.com
driplockerstore.com
rcdesigncompany.com
2141cascaderdsw.com
mybbblog.com
bodyambrosia.com
solitudeblog.com
coworkingofficespaces.com
9999cpa.com
flipwo.com
dynamicfitnesslife.store
anandsharmah.com
afyz-jf7y.net
erikagrandstaff.com
pumpfoil.com
bodurm.com
goldlifetime.com
a1organ.com
akomandr.com
hsavvysupply.com
dyvyn.com
bizlikeabosslady.network
livein.space
helpafounderout.com
orbmena.com
mrrodgersrealty.com
roxhomeswellington.com
klimareporter.com
1040fourthst405.com
blackbuiltbusinesses.com
solidswim.com
lordetkinlik3.com
gardencontainerbar.com
viperporn.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/732-81-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/732-82-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/1540-93-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1976 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
princedan859323.exeprincedan859323.exepid process 1796 princedan859323.exe 732 princedan859323.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEprincedan859323.exepid process 1976 EQNEDT32.EXE 1796 princedan859323.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
princedan859323.exeprincedan859323.execmmon32.exedescription pid process target process PID 1796 set thread context of 732 1796 princedan859323.exe princedan859323.exe PID 732 set thread context of 1240 732 princedan859323.exe Explorer.EXE PID 732 set thread context of 1240 732 princedan859323.exe Explorer.EXE PID 1540 set thread context of 1240 1540 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
princedan859323.exeprincedan859323.execmmon32.exepid process 1796 princedan859323.exe 1796 princedan859323.exe 732 princedan859323.exe 732 princedan859323.exe 732 princedan859323.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe 1540 cmmon32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
princedan859323.execmmon32.exepid process 732 princedan859323.exe 732 princedan859323.exe 732 princedan859323.exe 732 princedan859323.exe 1540 cmmon32.exe 1540 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
princedan859323.exeprincedan859323.execmmon32.exedescription pid process Token: SeDebugPrivilege 1796 princedan859323.exe Token: SeDebugPrivilege 732 princedan859323.exe Token: SeDebugPrivilege 1540 cmmon32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEprincedan859323.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1976 wrote to memory of 1796 1976 EQNEDT32.EXE princedan859323.exe PID 1976 wrote to memory of 1796 1976 EQNEDT32.EXE princedan859323.exe PID 1976 wrote to memory of 1796 1976 EQNEDT32.EXE princedan859323.exe PID 1976 wrote to memory of 1796 1976 EQNEDT32.EXE princedan859323.exe PID 1656 wrote to memory of 1376 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1376 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1376 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1376 1656 WINWORD.EXE splwow64.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1796 wrote to memory of 732 1796 princedan859323.exe princedan859323.exe PID 1240 wrote to memory of 1540 1240 Explorer.EXE cmmon32.exe PID 1240 wrote to memory of 1540 1240 Explorer.EXE cmmon32.exe PID 1240 wrote to memory of 1540 1240 Explorer.EXE cmmon32.exe PID 1240 wrote to memory of 1540 1240 Explorer.EXE cmmon32.exe PID 1540 wrote to memory of 2004 1540 cmmon32.exe cmd.exe PID 1540 wrote to memory of 2004 1540 cmmon32.exe cmd.exe PID 1540 wrote to memory of 2004 1540 cmmon32.exe cmd.exe PID 1540 wrote to memory of 2004 1540 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\princedan859323.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\princedan859323.exe"C:\Users\Admin\AppData\Roaming\princedan859323.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\princedan859323.exeC:\Users\Admin\AppData\Local\Temp\princedan859323.exe vgyjnbhui3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Local\Temp\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Local\Temp\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Roaming\princedan859323.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
memory/732-81-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/732-87-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/732-84-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/732-85-0x00000000003A0000-0x00000000003B4000-memory.dmpFilesize
80KB
-
memory/732-82-0x000000000041EB90-mapping.dmp
-
memory/1240-88-0x0000000006970000-0x0000000006ADF000-memory.dmpFilesize
1.4MB
-
memory/1240-86-0x0000000004050000-0x00000000041AD000-memory.dmpFilesize
1.4MB
-
memory/1376-72-0x0000000000000000-mapping.dmp
-
memory/1376-73-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmpFilesize
8KB
-
memory/1540-89-0x0000000000000000-mapping.dmp
-
memory/1540-95-0x0000000001D10000-0x0000000001DA3000-memory.dmpFilesize
588KB
-
memory/1540-94-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/1540-93-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1540-92-0x0000000000340000-0x000000000034D000-memory.dmpFilesize
52KB
-
memory/1656-61-0x0000000070A81000-0x0000000070A83000-memory.dmpFilesize
8KB
-
memory/1656-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1656-60-0x0000000073001000-0x0000000073004000-memory.dmpFilesize
12KB
-
memory/1656-63-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1796-74-0x00000000047A0000-0x0000000004801000-memory.dmpFilesize
388KB
-
memory/1796-66-0x0000000000000000-mapping.dmp
-
memory/1796-69-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/1796-71-0x0000000004310000-0x0000000004311000-memory.dmpFilesize
4KB
-
memory/1796-79-0x0000000005AB0000-0x0000000005B22000-memory.dmpFilesize
456KB
-
memory/2004-91-0x0000000000000000-mapping.dmp