Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION1100630004R2.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
QUOTATION1100630004R2.doc
Resource
win10v20210408
General
-
Target
QUOTATION1100630004R2.doc
-
Size
54KB
-
MD5
a3336f2a85c572aab40243c347ebfe59
-
SHA1
f6b300530f6d294ea005b13ec08d881c9651f8af
-
SHA256
9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
-
SHA512
b4a02c7df3537f861429346bd2813de9f89cdb18fb867b8f9eb140d6e2d190bf1a9ff33302e919c111b1e379ef09840c8c1c8289d7fb20fbe2fff4268ea085cf
Malware Config
Extracted
formbook
4.1
http://www.containerflippers.com/np0c/
spartansurebets.com
threelakestradingco.com
metaspace.global
zjenbao.com
directlyincluded.press
peterchadri.com
learnhousebreaking.com
wonobattle.online
leadate.com
shebafarmscali.com
top4thejob.online
awakeyourfaith.com
bedford-st.com
lolwhats.com
cucurumbel.com
lokalbazaar.com
matter.pro
eastcountyanimalrescue.com
musesgirl.com
noordinarydairy.com
saigonstar2.com
farmacias-aranda.com
fjzzck.com
createandelevate.solutions
australiavapeoil.com
imperfectlymassabella.com
criminalmindeddesign.com
silverstoneca.com
scotlandpropertygroup.com
3dvbuild.com
privatebeautysuites.com
driplockerstore.com
rcdesigncompany.com
2141cascaderdsw.com
mybbblog.com
bodyambrosia.com
solitudeblog.com
coworkingofficespaces.com
9999cpa.com
flipwo.com
dynamicfitnesslife.store
anandsharmah.com
afyz-jf7y.net
erikagrandstaff.com
pumpfoil.com
bodurm.com
goldlifetime.com
a1organ.com
akomandr.com
hsavvysupply.com
dyvyn.com
bizlikeabosslady.network
livein.space
helpafounderout.com
orbmena.com
mrrodgersrealty.com
roxhomeswellington.com
klimareporter.com
1040fourthst405.com
blackbuiltbusinesses.com
solidswim.com
lordetkinlik3.com
gardencontainerbar.com
viperporn.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/728-81-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/728-82-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/944-91-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1796 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
princedan85671.exeprincedan85671.exepid process 812 princedan85671.exe 728 princedan85671.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEprincedan85671.exepid process 1796 EQNEDT32.EXE 812 princedan85671.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
princedan85671.exeprincedan85671.exesystray.exedescription pid process target process PID 812 set thread context of 728 812 princedan85671.exe princedan85671.exe PID 728 set thread context of 1256 728 princedan85671.exe Explorer.EXE PID 944 set thread context of 1256 944 systray.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1208 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
princedan85671.exeprincedan85671.exesystray.exepid process 812 princedan85671.exe 812 princedan85671.exe 728 princedan85671.exe 728 princedan85671.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe 944 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
princedan85671.exesystray.exepid process 728 princedan85671.exe 728 princedan85671.exe 728 princedan85671.exe 944 systray.exe 944 systray.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
princedan85671.exeprincedan85671.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 812 princedan85671.exe Token: SeDebugPrivilege 728 princedan85671.exe Token: SeDebugPrivilege 944 systray.exe Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1208 WINWORD.EXE 1208 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEprincedan85671.exeExplorer.EXEsystray.exedescription pid process target process PID 1796 wrote to memory of 812 1796 EQNEDT32.EXE princedan85671.exe PID 1796 wrote to memory of 812 1796 EQNEDT32.EXE princedan85671.exe PID 1796 wrote to memory of 812 1796 EQNEDT32.EXE princedan85671.exe PID 1796 wrote to memory of 812 1796 EQNEDT32.EXE princedan85671.exe PID 1208 wrote to memory of 1756 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1756 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1756 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1756 1208 WINWORD.EXE splwow64.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 812 wrote to memory of 728 812 princedan85671.exe princedan85671.exe PID 1256 wrote to memory of 944 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 944 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 944 1256 Explorer.EXE systray.exe PID 1256 wrote to memory of 944 1256 Explorer.EXE systray.exe PID 944 wrote to memory of 1484 944 systray.exe cmd.exe PID 944 wrote to memory of 1484 944 systray.exe cmd.exe PID 944 wrote to memory of 1484 944 systray.exe cmd.exe PID 944 wrote to memory of 1484 944 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION1100630004R2.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1756
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\princedan85671.exe"3⤵PID:1484
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\princedan85671.exe"C:\Users\Admin\AppData\Roaming\princedan85671.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeC:\Users\Admin\AppData\Local\Temp\princedan85671.exe vgyjnbhui3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
memory/728-81-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/728-84-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/728-85-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/728-82-0x000000000041EB90-mapping.dmp
-
memory/812-69-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/812-71-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/812-66-0x0000000000000000-mapping.dmp
-
memory/812-74-0x0000000001FA0000-0x0000000002001000-memory.dmpFilesize
388KB
-
memory/812-79-0x0000000005AC0000-0x0000000005B32000-memory.dmpFilesize
456KB
-
memory/944-93-0x0000000001EE0000-0x0000000001F73000-memory.dmpFilesize
588KB
-
memory/944-90-0x0000000000140000-0x0000000000145000-memory.dmpFilesize
20KB
-
memory/944-87-0x0000000000000000-mapping.dmp
-
memory/944-91-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/944-92-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/1208-95-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1208-61-0x000000006FE01000-0x000000006FE03000-memory.dmpFilesize
8KB
-
memory/1208-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1208-60-0x0000000072381000-0x0000000072384000-memory.dmpFilesize
12KB
-
memory/1208-63-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1256-86-0x0000000006150000-0x00000000062D0000-memory.dmpFilesize
1.5MB
-
memory/1256-94-0x0000000006AD0000-0x0000000006C29000-memory.dmpFilesize
1.3MB
-
memory/1484-89-0x0000000000000000-mapping.dmp
-
memory/1756-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1756-72-0x0000000000000000-mapping.dmp