Analysis
-
max time kernel
147s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 18:13
Static task
static1
Behavioral task
behavioral1
Sample
PN210700369.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PN210700369.doc
Resource
win10-en-20210920
General
-
Target
PN210700369.doc
-
Size
12KB
-
MD5
0ab8548f84307cc143104f8557e39f20
-
SHA1
1a7472fc4e86faa731c4870e2ca3999f1aab5d6b
-
SHA256
ae5beb31d816f7bc882e8422ea7d06fcd48d210d120ab9c505343f87d93e5b00
-
SHA512
da2f86e69be7e0d8b8c0beafeee2230ec7ebfba7dd48c99d31bd23061eb27199145e6e65ec0ea49dc92aa50a2349454953ff3333442c1f6c3acf517b1245e3ee
Malware Config
Extracted
formbook
4.1
ed9s
http://www.vaughnmethod.com/ed9s/
pocketoptioniraq.com
merabestsolutions.com
atelectronics.site
fuxueshi.net
infinitystay.com
forensicconcept.site
txpmachine.com
masterwhs.xyz
dia-gnwsis.art
fulltiltnodes.com
bigbnbbsc.com
formation-figma.com
bonanacroin.net
medicalmarijuanasatx.com
bagnavy.com
aaegiscares.net
presentationpublicschool.com
bestyousite.site
prescriptionn.com
beyondthenormbouquets.com
sinclairsparkes.com
yesterdayglass.com
lj-safe-keepinganwgt76.xyz
winlegends.com
perthvideoproduction.com
sgh.technology
athletik.biz
cardealergame.com
ugkhmel.xyz
4346emerald.com
soulconstructionservices.com
dalmac-nj.com
marylink.net
gentciu.com
insidecity.company
wensum-creations.com
frontwonline.com
8xovz.xyz
pickaxecoffee.com
stonezhang.top
markmra1995.site
valleysettlewash.top
canadabulkmushrooms.com
shiningoutdoors.com
elysiarv.xyz
artoidmode.com
whileloading.com
crgcatherine.com
usa111.com
tourmalinesepiapirole.info
infodf.xyz
girldollg.xyz
paypal-caseid581.com
bymetronet.com
outranky.com
bankinsurance.site
iscinterconnectsolutions.com
networth.fyi
fastplaycdn.xyz
fernradio.com
sergeantrandom.net
islamic-coins.com
naplesgolfcartbatteries2u.com
seniormedicarebenefits.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-78-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1520-79-0x000000000041F160-mapping.dmp formbook behavioral1/memory/580-86-0x0000000000170000-0x000000000019F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1724 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
obinahwi7863.exeobinahwi7863.exeobinahwi7863.exeobinahwi7863.exepid process 1796 obinahwi7863.exe 1952 obinahwi7863.exe 1512 obinahwi7863.exe 1520 obinahwi7863.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1724 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
obinahwi7863.exeobinahwi7863.exewscript.exedescription pid process target process PID 1796 set thread context of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1520 set thread context of 1224 1520 obinahwi7863.exe Explorer.EXE PID 580 set thread context of 1224 580 wscript.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1968 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
obinahwi7863.exeobinahwi7863.exewscript.exepid process 1796 obinahwi7863.exe 1796 obinahwi7863.exe 1796 obinahwi7863.exe 1796 obinahwi7863.exe 1520 obinahwi7863.exe 1520 obinahwi7863.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe 580 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
obinahwi7863.exewscript.exepid process 1520 obinahwi7863.exe 1520 obinahwi7863.exe 1520 obinahwi7863.exe 580 wscript.exe 580 wscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
obinahwi7863.exeobinahwi7863.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1796 obinahwi7863.exe Token: SeDebugPrivilege 1520 obinahwi7863.exe Token: SeDebugPrivilege 580 wscript.exe Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1968 WINWORD.EXE 1968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobinahwi7863.exeExplorer.EXEwscript.exedescription pid process target process PID 1724 wrote to memory of 1796 1724 EQNEDT32.EXE obinahwi7863.exe PID 1724 wrote to memory of 1796 1724 EQNEDT32.EXE obinahwi7863.exe PID 1724 wrote to memory of 1796 1724 EQNEDT32.EXE obinahwi7863.exe PID 1724 wrote to memory of 1796 1724 EQNEDT32.EXE obinahwi7863.exe PID 1968 wrote to memory of 1680 1968 WINWORD.EXE splwow64.exe PID 1968 wrote to memory of 1680 1968 WINWORD.EXE splwow64.exe PID 1968 wrote to memory of 1680 1968 WINWORD.EXE splwow64.exe PID 1968 wrote to memory of 1680 1968 WINWORD.EXE splwow64.exe PID 1796 wrote to memory of 1952 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1952 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1952 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1952 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1512 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1512 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1512 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1512 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1796 wrote to memory of 1520 1796 obinahwi7863.exe obinahwi7863.exe PID 1224 wrote to memory of 580 1224 Explorer.EXE wscript.exe PID 1224 wrote to memory of 580 1224 Explorer.EXE wscript.exe PID 1224 wrote to memory of 580 1224 Explorer.EXE wscript.exe PID 1224 wrote to memory of 580 1224 Explorer.EXE wscript.exe PID 580 wrote to memory of 1644 580 wscript.exe cmd.exe PID 580 wrote to memory of 1644 580 wscript.exe cmd.exe PID 580 wrote to memory of 1644 580 wscript.exe cmd.exe PID 580 wrote to memory of 1644 580 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PN210700369.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
memory/580-88-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/580-85-0x0000000000B40000-0x0000000000B66000-memory.dmpFilesize
152KB
-
memory/580-86-0x0000000000170000-0x000000000019F000-memory.dmpFilesize
188KB
-
memory/580-84-0x0000000000000000-mapping.dmp
-
memory/580-89-0x0000000002010000-0x00000000020A3000-memory.dmpFilesize
588KB
-
memory/1224-83-0x0000000006130000-0x000000000625C000-memory.dmpFilesize
1.2MB
-
memory/1224-90-0x0000000006260000-0x00000000063BC000-memory.dmpFilesize
1.4MB
-
memory/1520-82-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1520-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1520-81-0x0000000000AE0000-0x0000000000DE3000-memory.dmpFilesize
3.0MB
-
memory/1520-79-0x000000000041F160-mapping.dmp
-
memory/1644-87-0x0000000000000000-mapping.dmp
-
memory/1680-72-0x0000000000000000-mapping.dmp
-
memory/1680-73-0x000007FEFC051000-0x000007FEFC053000-memory.dmpFilesize
8KB
-
memory/1796-75-0x0000000004370000-0x00000000043A1000-memory.dmpFilesize
196KB
-
memory/1796-74-0x0000000005220000-0x0000000005282000-memory.dmpFilesize
392KB
-
memory/1796-71-0x0000000000360000-0x000000000036E000-memory.dmpFilesize
56KB
-
memory/1796-70-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1796-68-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/1796-65-0x0000000000000000-mapping.dmp
-
memory/1968-59-0x0000000072B51000-0x0000000072B54000-memory.dmpFilesize
12KB
-
memory/1968-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1968-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1968-60-0x00000000705D1000-0x00000000705D3000-memory.dmpFilesize
8KB
-
memory/1968-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB