Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:46
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION#1100630004R2.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
QUOTATION#1100630004R2.doc
Resource
win10v20210410
General
-
Target
QUOTATION#1100630004R2.doc
-
Size
54KB
-
MD5
a3336f2a85c572aab40243c347ebfe59
-
SHA1
f6b300530f6d294ea005b13ec08d881c9651f8af
-
SHA256
9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
-
SHA512
b4a02c7df3537f861429346bd2813de9f89cdb18fb867b8f9eb140d6e2d190bf1a9ff33302e919c111b1e379ef09840c8c1c8289d7fb20fbe2fff4268ea085cf
Malware Config
Extracted
formbook
4.1
http://www.containerflippers.com/np0c/
spartansurebets.com
threelakestradingco.com
metaspace.global
zjenbao.com
directlyincluded.press
peterchadri.com
learnhousebreaking.com
wonobattle.online
leadate.com
shebafarmscali.com
top4thejob.online
awakeyourfaith.com
bedford-st.com
lolwhats.com
cucurumbel.com
lokalbazaar.com
matter.pro
eastcountyanimalrescue.com
musesgirl.com
noordinarydairy.com
saigonstar2.com
farmacias-aranda.com
fjzzck.com
createandelevate.solutions
australiavapeoil.com
imperfectlymassabella.com
criminalmindeddesign.com
silverstoneca.com
scotlandpropertygroup.com
3dvbuild.com
privatebeautysuites.com
driplockerstore.com
rcdesigncompany.com
2141cascaderdsw.com
mybbblog.com
bodyambrosia.com
solitudeblog.com
coworkingofficespaces.com
9999cpa.com
flipwo.com
dynamicfitnesslife.store
anandsharmah.com
afyz-jf7y.net
erikagrandstaff.com
pumpfoil.com
bodurm.com
goldlifetime.com
a1organ.com
akomandr.com
hsavvysupply.com
dyvyn.com
bizlikeabosslady.network
livein.space
helpafounderout.com
orbmena.com
mrrodgersrealty.com
roxhomeswellington.com
klimareporter.com
1040fourthst405.com
blackbuiltbusinesses.com
solidswim.com
lordetkinlik3.com
gardencontainerbar.com
viperporn.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/240-78-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/240-79-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/1896-89-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1740 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
princedan85671.exeprincedan85671.exepid process 760 princedan85671.exe 240 princedan85671.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEprincedan85671.exepid process 1740 EQNEDT32.EXE 760 princedan85671.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
princedan85671.exeprincedan85671.execmstp.exedescription pid process target process PID 760 set thread context of 240 760 princedan85671.exe princedan85671.exe PID 240 set thread context of 1264 240 princedan85671.exe Explorer.EXE PID 240 set thread context of 1264 240 princedan85671.exe Explorer.EXE PID 1896 set thread context of 1264 1896 cmstp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
princedan85671.exeprincedan85671.execmstp.exepid process 760 princedan85671.exe 760 princedan85671.exe 240 princedan85671.exe 240 princedan85671.exe 240 princedan85671.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe 1896 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
princedan85671.execmstp.exepid process 240 princedan85671.exe 240 princedan85671.exe 240 princedan85671.exe 240 princedan85671.exe 1896 cmstp.exe 1896 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
princedan85671.exeprincedan85671.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 760 princedan85671.exe Token: SeDebugPrivilege 240 princedan85671.exe Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeDebugPrivilege 1896 cmstp.exe Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1084 WINWORD.EXE 1084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEprincedan85671.exeExplorer.EXEcmstp.exedescription pid process target process PID 1740 wrote to memory of 760 1740 EQNEDT32.EXE princedan85671.exe PID 1740 wrote to memory of 760 1740 EQNEDT32.EXE princedan85671.exe PID 1740 wrote to memory of 760 1740 EQNEDT32.EXE princedan85671.exe PID 1740 wrote to memory of 760 1740 EQNEDT32.EXE princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 760 wrote to memory of 240 760 princedan85671.exe princedan85671.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1264 wrote to memory of 1896 1264 Explorer.EXE cmstp.exe PID 1896 wrote to memory of 2004 1896 cmstp.exe cmd.exe PID 1896 wrote to memory of 2004 1896 cmstp.exe cmd.exe PID 1896 wrote to memory of 2004 1896 cmstp.exe cmd.exe PID 1896 wrote to memory of 2004 1896 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION#1100630004R2.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\princedan85671.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\princedan85671.exe"C:\Users\Admin\AppData\Roaming\princedan85671.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeC:\Users\Admin\AppData\Local\Temp\princedan85671.exe vgyjnbhui3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
C:\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Local\Temp\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
\Users\Admin\AppData\Roaming\princedan85671.exeMD5
0e715db2198ff670f4bf0e88e0e9b547
SHA12de5030a9261655e5879e4faba7b5e79d1dd483e
SHA2564dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA5128fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
-
memory/240-79-0x000000000041EB90-mapping.dmp
-
memory/240-82-0x0000000000450000-0x0000000000464000-memory.dmpFilesize
80KB
-
memory/240-78-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/240-84-0x0000000000490000-0x00000000004A4000-memory.dmpFilesize
80KB
-
memory/240-81-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/760-68-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/760-70-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/760-71-0x0000000000B90000-0x0000000000BF1000-memory.dmpFilesize
388KB
-
memory/760-76-0x0000000005190000-0x0000000005202000-memory.dmpFilesize
456KB
-
memory/760-65-0x0000000000000000-mapping.dmp
-
memory/1084-62-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1084-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1084-59-0x0000000072FC1000-0x0000000072FC4000-memory.dmpFilesize
12KB
-
memory/1084-60-0x0000000070A41000-0x0000000070A43000-memory.dmpFilesize
8KB
-
memory/1264-83-0x0000000004120000-0x0000000004243000-memory.dmpFilesize
1.1MB
-
memory/1264-85-0x00000000072D0000-0x0000000007415000-memory.dmpFilesize
1.3MB
-
memory/1896-86-0x0000000000000000-mapping.dmp
-
memory/1896-88-0x0000000000B70000-0x0000000000B88000-memory.dmpFilesize
96KB
-
memory/1896-89-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/1896-92-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1896-93-0x0000000000930000-0x00000000009C3000-memory.dmpFilesize
588KB
-
memory/2004-91-0x0000000000000000-mapping.dmp