Analysis
-
max time kernel
150s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 19:13
Static task
static1
Behavioral task
behavioral1
Sample
PN210700369.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PN210700369.doc
Resource
win10-en-20210920
General
-
Target
PN210700369.doc
-
Size
12KB
-
MD5
0ab8548f84307cc143104f8557e39f20
-
SHA1
1a7472fc4e86faa731c4870e2ca3999f1aab5d6b
-
SHA256
ae5beb31d816f7bc882e8422ea7d06fcd48d210d120ab9c505343f87d93e5b00
-
SHA512
da2f86e69be7e0d8b8c0beafeee2230ec7ebfba7dd48c99d31bd23061eb27199145e6e65ec0ea49dc92aa50a2349454953ff3333442c1f6c3acf517b1245e3ee
Malware Config
Extracted
formbook
4.1
ed9s
http://www.vaughnmethod.com/ed9s/
pocketoptioniraq.com
merabestsolutions.com
atelectronics.site
fuxueshi.net
infinitystay.com
forensicconcept.site
txpmachine.com
masterwhs.xyz
dia-gnwsis.art
fulltiltnodes.com
bigbnbbsc.com
formation-figma.com
bonanacroin.net
medicalmarijuanasatx.com
bagnavy.com
aaegiscares.net
presentationpublicschool.com
bestyousite.site
prescriptionn.com
beyondthenormbouquets.com
sinclairsparkes.com
yesterdayglass.com
lj-safe-keepinganwgt76.xyz
winlegends.com
perthvideoproduction.com
sgh.technology
athletik.biz
cardealergame.com
ugkhmel.xyz
4346emerald.com
soulconstructionservices.com
dalmac-nj.com
marylink.net
gentciu.com
insidecity.company
wensum-creations.com
frontwonline.com
8xovz.xyz
pickaxecoffee.com
stonezhang.top
markmra1995.site
valleysettlewash.top
canadabulkmushrooms.com
shiningoutdoors.com
elysiarv.xyz
artoidmode.com
whileloading.com
crgcatherine.com
usa111.com
tourmalinesepiapirole.info
infodf.xyz
girldollg.xyz
paypal-caseid581.com
bymetronet.com
outranky.com
bankinsurance.site
iscinterconnectsolutions.com
networth.fyi
fastplaycdn.xyz
fernradio.com
sergeantrandom.net
islamic-coins.com
naplesgolfcartbatteries2u.com
seniormedicarebenefits.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-77-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1340-78-0x000000000041F160-mapping.dmp formbook behavioral1/memory/1592-88-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1068 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
obinahwi7863.exeobinahwi7863.exeobinahwi7863.exepid process 1564 obinahwi7863.exe 1264 obinahwi7863.exe 1340 obinahwi7863.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1068 EQNEDT32.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
obinahwi7863.exeobinahwi7863.execmd.exedescription pid process target process PID 1564 set thread context of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1340 set thread context of 1208 1340 obinahwi7863.exe Explorer.EXE PID 1340 set thread context of 1208 1340 obinahwi7863.exe Explorer.EXE PID 1592 set thread context of 1208 1592 cmd.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 816 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
obinahwi7863.exeobinahwi7863.execmd.exepid process 1564 obinahwi7863.exe 1564 obinahwi7863.exe 1340 obinahwi7863.exe 1340 obinahwi7863.exe 1340 obinahwi7863.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe 1592 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
obinahwi7863.execmd.exepid process 1340 obinahwi7863.exe 1340 obinahwi7863.exe 1340 obinahwi7863.exe 1340 obinahwi7863.exe 1592 cmd.exe 1592 cmd.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
obinahwi7863.exeobinahwi7863.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1564 obinahwi7863.exe Token: SeDebugPrivilege 1340 obinahwi7863.exe Token: SeDebugPrivilege 1592 cmd.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 816 WINWORD.EXE 816 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobinahwi7863.exeExplorer.EXEcmd.exedescription pid process target process PID 1068 wrote to memory of 1564 1068 EQNEDT32.EXE obinahwi7863.exe PID 1068 wrote to memory of 1564 1068 EQNEDT32.EXE obinahwi7863.exe PID 1068 wrote to memory of 1564 1068 EQNEDT32.EXE obinahwi7863.exe PID 1068 wrote to memory of 1564 1068 EQNEDT32.EXE obinahwi7863.exe PID 816 wrote to memory of 1032 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 1032 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 1032 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 1032 816 WINWORD.EXE splwow64.exe PID 1564 wrote to memory of 1264 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1264 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1264 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1264 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1564 wrote to memory of 1340 1564 obinahwi7863.exe obinahwi7863.exe PID 1208 wrote to memory of 1592 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1592 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1592 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1592 1208 Explorer.EXE cmd.exe PID 1592 wrote to memory of 1488 1592 cmd.exe cmd.exe PID 1592 wrote to memory of 1488 1592 cmd.exe cmd.exe PID 1592 wrote to memory of 1488 1592 cmd.exe cmd.exe PID 1592 wrote to memory of 1488 1592 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PN210700369.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"C:\Users\Admin\AppData\Roaming\obinahwi7863.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
C:\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
\Users\Admin\AppData\Roaming\obinahwi7863.exeMD5
45703e2e8fea96fffb9db9aa78213b20
SHA14c1d8fcf41c7ea7aa12bcd716a88836fb7dae3ea
SHA2569d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
SHA512ba3958967c0ce10455e2a1f0e0773c5ab568320c3df51324e51ca16022e36e49f84e69500043e62540df14d65610fc90aa2e77c4863b8da07f613a3227906753
-
memory/816-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/816-60-0x000000006FD31000-0x000000006FD33000-memory.dmpFilesize
8KB
-
memory/816-62-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/816-59-0x00000000722B1000-0x00000000722B4000-memory.dmpFilesize
12KB
-
memory/816-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1032-72-0x0000000000000000-mapping.dmp
-
memory/1032-73-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/1208-93-0x000007FEF5000000-0x000007FEF5143000-memory.dmpFilesize
1.3MB
-
memory/1208-84-0x0000000006150000-0x00000000062B9000-memory.dmpFilesize
1.4MB
-
memory/1208-91-0x0000000003E60000-0x0000000003F0E000-memory.dmpFilesize
696KB
-
memory/1208-82-0x00000000044A0000-0x00000000045A8000-memory.dmpFilesize
1.0MB
-
memory/1208-94-0x000007FE88740000-0x000007FE8874A000-memory.dmpFilesize
40KB
-
memory/1340-78-0x000000000041F160-mapping.dmp
-
memory/1340-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1340-80-0x0000000000B50000-0x0000000000E53000-memory.dmpFilesize
3.0MB
-
memory/1340-81-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1340-83-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1488-86-0x0000000000000000-mapping.dmp
-
memory/1564-68-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/1564-75-0x0000000000540000-0x0000000000571000-memory.dmpFilesize
196KB
-
memory/1564-74-0x0000000004FF0000-0x0000000005052000-memory.dmpFilesize
392KB
-
memory/1564-71-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/1564-70-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1564-65-0x0000000000000000-mapping.dmp
-
memory/1592-85-0x0000000000000000-mapping.dmp
-
memory/1592-87-0x0000000049D80000-0x0000000049DCC000-memory.dmpFilesize
304KB
-
memory/1592-88-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1592-89-0x0000000001F50000-0x0000000002253000-memory.dmpFilesize
3.0MB
-
memory/1592-90-0x0000000002260000-0x00000000022F3000-memory.dmpFilesize
588KB