Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
25-11-2021 16:57
Static task
static1
Behavioral task
behavioral1
Sample
Documents – Packing List Commercial Invoice.rtf
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Documents – Packing List Commercial Invoice.rtf
Resource
win10-en-20211014
General
-
Target
Documents – Packing List Commercial Invoice.rtf
-
Size
18KB
-
MD5
a5b0056fd2f56303ba063e967644b85f
-
SHA1
33be2e3727a6e239185edc9deb0134a1a8e3bea1
-
SHA256
c9d934e0fcb1ab001bc65247caad607d2510f451fc507a7e0773472c70bd15c6
-
SHA512
dba809471f0bd68da03367c86d30656f85df5624d4d5270d7971b4ce55f3093cfd8551d44ac948600fef8ec9c91a87672989fd8d3b0762cae62a38370e8f463d
Malware Config
Extracted
xloader
2.5
rh6s
http://www.barkerfamilyenterprises.com/rh6s/
plantzs.com
oasisphere.net
oprimaelnumerodos.com
youcansquarespace.com
smartaj7.xyz
pawes.top
dailytoyotatuson.com
moksel.com
flytt-gubbarna.com
xn--tecladoscon-ceb.com
boilingly.top
liabilitylimitresearch.com
dumkahaunt.com
butibori.com
guiadeafiliados.com
ponderingprofits.com
industrionaire.com
forum-solana.support
jinsei-tabi.com
everyonesconcretesolutions.com
afrikanabeachtarifa.com
cursorfast.club
escolaparaomundo.online
salemchurchmarketing.com
sagawaexpressdelivery.com
theflavorbibleapp.com
izicoin.net
129qihu.com
viarossaproductions.com
senior-desire.art
marsalahami.biz
sumika.biz
brandianext.com
charitytick.com
lavidatarot.com
ranchoptician.com
marinasidecondos.com
dbhavin.xyz
hk-tommy.com
air-15.net
milihomeandaway.com
victorrialand.com
umdasch-lagereinrichtung.com
jingdongdh.xyz
thinkservicewithflair.net
eleanor-the-beetle.com
shataeva.com
lj-safe-keepingtoyof4.xyz
greenway-plumbing-solar.com
simplyabcbooks.com
popupae.com
mdrlab.com
whitestowncompplan.com
whats4lunch.today
mpgastronomy.com
sztunfeng.com
foodroutine.com
blootgirls.com
ariannathalis.com
momshousegeorgia.com
busy-clicks.com
azukinotane.com
demeways.com
soluciondigital.store
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-76-0x0000000072480000-0x00000000724AA000-memory.dmp xloader behavioral1/memory/1152-81-0x0000000072480000-0x00000000724AA000-memory.dmp xloader behavioral1/memory/1912-87-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1592 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
mmmfdh7681.exepid process 2036 mmmfdh7681.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1592 EQNEDT32.EXE 1592 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mmmfdh7681.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quxmwtbv = "C:\\Users\\Admin\\Contacts\\vbtwmxuQ.url" mmmfdh7681.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mobsync.exeraserver.exedescription pid process target process PID 1152 set thread context of 1188 1152 mobsync.exe Explorer.EXE PID 1152 set thread context of 1188 1152 mobsync.exe Explorer.EXE PID 1912 set thread context of 1188 1912 raserver.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1380 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
mobsync.exeraserver.exepid process 1152 mobsync.exe 1152 mobsync.exe 1152 mobsync.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe 1912 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
mobsync.exeraserver.exepid process 1152 mobsync.exe 1152 mobsync.exe 1152 mobsync.exe 1152 mobsync.exe 1912 raserver.exe 1912 raserver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mobsync.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1152 mobsync.exe Token: SeDebugPrivilege 1912 raserver.exe Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeShutdownPrivilege 1188 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1380 WINWORD.EXE 1380 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEmmmfdh7681.exeWINWORD.EXEExplorer.EXEdescription pid process target process PID 1592 wrote to memory of 2036 1592 EQNEDT32.EXE mmmfdh7681.exe PID 1592 wrote to memory of 2036 1592 EQNEDT32.EXE mmmfdh7681.exe PID 1592 wrote to memory of 2036 1592 EQNEDT32.EXE mmmfdh7681.exe PID 1592 wrote to memory of 2036 1592 EQNEDT32.EXE mmmfdh7681.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 2036 wrote to memory of 1152 2036 mmmfdh7681.exe mobsync.exe PID 1380 wrote to memory of 1920 1380 WINWORD.EXE splwow64.exe PID 1380 wrote to memory of 1920 1380 WINWORD.EXE splwow64.exe PID 1380 wrote to memory of 1920 1380 WINWORD.EXE splwow64.exe PID 1380 wrote to memory of 1920 1380 WINWORD.EXE splwow64.exe PID 1188 wrote to memory of 1912 1188 Explorer.EXE raserver.exe PID 1188 wrote to memory of 1912 1188 Explorer.EXE raserver.exe PID 1188 wrote to memory of 1912 1188 Explorer.EXE raserver.exe PID 1188 wrote to memory of 1912 1188 Explorer.EXE raserver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Documents – Packing List Commercial Invoice.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mmmfdh7681.exe"C:\Users\Admin\AppData\Roaming\mmmfdh7681.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mmmfdh7681.exeMD5
ddcde48f427aa321a5f6fefd393f1da5
SHA13540ff15af3279ee9c560cfefdb731cf12640727
SHA256ce07698f1ba923cc1540ebf07420dae91b813b78a093465611692df3b9817b8f
SHA512354f172200b5ec3782d41cb42801009abe4ade597894f0037a61624d505c368eebdb43c46e1cdefe4cf890d90bbe3b83d703e216cfe8457767948143ee170619
-
C:\Users\Admin\AppData\Roaming\mmmfdh7681.exeMD5
ddcde48f427aa321a5f6fefd393f1da5
SHA13540ff15af3279ee9c560cfefdb731cf12640727
SHA256ce07698f1ba923cc1540ebf07420dae91b813b78a093465611692df3b9817b8f
SHA512354f172200b5ec3782d41cb42801009abe4ade597894f0037a61624d505c368eebdb43c46e1cdefe4cf890d90bbe3b83d703e216cfe8457767948143ee170619
-
\Users\Admin\AppData\Roaming\mmmfdh7681.exeMD5
ddcde48f427aa321a5f6fefd393f1da5
SHA13540ff15af3279ee9c560cfefdb731cf12640727
SHA256ce07698f1ba923cc1540ebf07420dae91b813b78a093465611692df3b9817b8f
SHA512354f172200b5ec3782d41cb42801009abe4ade597894f0037a61624d505c368eebdb43c46e1cdefe4cf890d90bbe3b83d703e216cfe8457767948143ee170619
-
\Users\Admin\AppData\Roaming\mmmfdh7681.exeMD5
ddcde48f427aa321a5f6fefd393f1da5
SHA13540ff15af3279ee9c560cfefdb731cf12640727
SHA256ce07698f1ba923cc1540ebf07420dae91b813b78a093465611692df3b9817b8f
SHA512354f172200b5ec3782d41cb42801009abe4ade597894f0037a61624d505c368eebdb43c46e1cdefe4cf890d90bbe3b83d703e216cfe8457767948143ee170619
-
memory/1152-82-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB
-
memory/1152-76-0x0000000072480000-0x00000000724AA000-memory.dmpFilesize
168KB
-
memory/1152-81-0x0000000072480000-0x00000000724AA000-memory.dmpFilesize
168KB
-
memory/1152-79-0x0000000000210000-0x0000000000221000-memory.dmpFilesize
68KB
-
memory/1152-74-0x0000000072480000-0x00000000724AA000-memory.dmpFilesize
168KB
-
memory/1152-75-0x00000000021B0000-0x00000000024B3000-memory.dmpFilesize
3.0MB
-
memory/1152-73-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1152-68-0x0000000072480000-0x00000000724AA000-memory.dmpFilesize
168KB
-
memory/1152-69-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1152-71-0x0000000000000000-mapping.dmp
-
memory/1188-90-0x0000000009280000-0x0000000009402000-memory.dmpFilesize
1.5MB
-
memory/1188-83-0x0000000007580000-0x0000000007720000-memory.dmpFilesize
1.6MB
-
memory/1188-80-0x00000000062A0000-0x000000000638E000-memory.dmpFilesize
952KB
-
memory/1380-58-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1380-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1380-56-0x0000000070561000-0x0000000070563000-memory.dmpFilesize
8KB
-
memory/1380-55-0x0000000072AE1000-0x0000000072AE4000-memory.dmpFilesize
12KB
-
memory/1380-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1912-87-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1912-84-0x0000000000000000-mapping.dmp
-
memory/1912-86-0x0000000000990000-0x00000000009AC000-memory.dmpFilesize
112KB
-
memory/1912-88-0x0000000001DB0000-0x00000000020B3000-memory.dmpFilesize
3.0MB
-
memory/1912-89-0x0000000000860000-0x00000000008F0000-memory.dmpFilesize
576KB
-
memory/1920-78-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmpFilesize
8KB
-
memory/1920-77-0x0000000000000000-mapping.dmp
-
memory/2036-62-0x0000000000000000-mapping.dmp
-
memory/2036-65-0x00000000003D1000-0x00000000003E5000-memory.dmpFilesize
80KB
-
memory/2036-66-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB