Analysis
-
max time kernel
153s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:17
Static task
static1
Behavioral task
behavioral1
Sample
20589634.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20589634.rtf
Resource
win10-en-20211208
General
-
Target
20589634.rtf
-
Size
17KB
-
MD5
9f262c6d365ac4bc1b8785009bbe1368
-
SHA1
81a240b1cc12340d0d003af33bf6e4a1c93154fe
-
SHA256
6ee894977bb2a47f9fff347a6e29942065c1058a3a0dfd924884af1c3320d569
-
SHA512
4735c1a56b3ec7fb8383e67cb6f430d7d5c2575967bd8965febccd1577cbeb79bec6adfec501b25d57f578bfab013a853ddd67f65555c045ba723650a73af179
Malware Config
Extracted
formbook
4.1
qugo
sathapornstainlesssteel.com
everythingisaninvestment.com
appsbyraf.com
superhornygirl.club
christmastreeclass.com
cheatdayztogo.com
aadent7.com
divinitypath.com
figuli563.com
distanzalojistik.com
pricelesslookyto-looktoday.info
pcaaems.com
itsnewmovie.com
4kx.claims
rental-aruyo.com
psiek.com
justnobleempress.com
40daysfor40nights.com
91266w.com
csi-texas.biz
laborbbpjnsumsel.com
chiroxpr.com
vipfb69.com
swedls.com
carmonaforcouncil.com
ezgovtfunds.com
bnqit.com
jonkospellen.online
easygojpn.com
boardwalksnj.com
hinrichs.digital
visionbankfl.com
voteronniboskovich.com
lootproject.club
wajeehi.net
jasapengerjaanskripsi.com
hustlerbandz.com
builtkh.com
theeggsstory.com
doctornotaryservice.com
sportsfanmd.com
matrix-casino.com
jumpandbouncehouserental.com
infoecommercepro.com
flowerdiscount.store
b95213.com
dualipaphiladelphia.com
opalandamber.com
impiantidentalibuscaritaorg.com
mmpluk.com
rpcbtt.space
melancholizm.com
odemix.com
klm-med.store
thinkdelivery.net
lifeonticotime.com
harsors.com
mollymo.online
rab.bet
anubhav.pictures
mauromarchesini.com
tokiwa-test.com
livia-rony.com
sgames.space
monimmo3d.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1480-78-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1408 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
successhvc641.exesuccesshvc641.exepid process 820 successhvc641.exe 1728 successhvc641.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1408 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
successhvc641.exesuccesshvc641.exesystray.exedescription pid process target process PID 820 set thread context of 1728 820 successhvc641.exe successhvc641.exe PID 1728 set thread context of 1380 1728 successhvc641.exe Explorer.EXE PID 1480 set thread context of 1380 1480 systray.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 828 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
successhvc641.exesystray.exepid process 1728 successhvc641.exe 1728 successhvc641.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe 1480 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
successhvc641.exesystray.exepid process 1728 successhvc641.exe 1728 successhvc641.exe 1728 successhvc641.exe 1480 systray.exe 1480 systray.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
successhvc641.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1728 successhvc641.exe Token: SeDebugPrivilege 1480 systray.exe Token: SeShutdownPrivilege 1380 Explorer.EXE Token: SeShutdownPrivilege 1380 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 828 WINWORD.EXE 828 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEsuccesshvc641.exeExplorer.EXEsystray.exedescription pid process target process PID 1408 wrote to memory of 820 1408 EQNEDT32.EXE successhvc641.exe PID 1408 wrote to memory of 820 1408 EQNEDT32.EXE successhvc641.exe PID 1408 wrote to memory of 820 1408 EQNEDT32.EXE successhvc641.exe PID 1408 wrote to memory of 820 1408 EQNEDT32.EXE successhvc641.exe PID 828 wrote to memory of 1756 828 WINWORD.EXE splwow64.exe PID 828 wrote to memory of 1756 828 WINWORD.EXE splwow64.exe PID 828 wrote to memory of 1756 828 WINWORD.EXE splwow64.exe PID 828 wrote to memory of 1756 828 WINWORD.EXE splwow64.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 820 wrote to memory of 1728 820 successhvc641.exe successhvc641.exe PID 1380 wrote to memory of 1480 1380 Explorer.EXE systray.exe PID 1380 wrote to memory of 1480 1380 Explorer.EXE systray.exe PID 1380 wrote to memory of 1480 1380 Explorer.EXE systray.exe PID 1380 wrote to memory of 1480 1380 Explorer.EXE systray.exe PID 1480 wrote to memory of 112 1480 systray.exe cmd.exe PID 1480 wrote to memory of 112 1480 systray.exe cmd.exe PID 1480 wrote to memory of 112 1480 systray.exe cmd.exe PID 1480 wrote to memory of 112 1480 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20589634.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\successhvc641.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\successhvc641.exe"C:\Users\Admin\AppData\Roaming\successhvc641.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\successhvc641.exe"C:\Users\Admin\AppData\Roaming\successhvc641.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\successhvc641.exeMD5
26006717388ba82289d13403ed220f37
SHA172b108134cac9476fb1eccb6cdbcc8a2e6127c55
SHA256fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
SHA51267bd2d6906194b48f36eb1a47152cd91ed8ae323894f5dbf281fc55674e85ffee76798a3b9c448d4d2c569722845a63bb849b66ae798a087c174931d92ed2e30
-
C:\Users\Admin\AppData\Roaming\successhvc641.exeMD5
26006717388ba82289d13403ed220f37
SHA172b108134cac9476fb1eccb6cdbcc8a2e6127c55
SHA256fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
SHA51267bd2d6906194b48f36eb1a47152cd91ed8ae323894f5dbf281fc55674e85ffee76798a3b9c448d4d2c569722845a63bb849b66ae798a087c174931d92ed2e30
-
C:\Users\Admin\AppData\Roaming\successhvc641.exeMD5
26006717388ba82289d13403ed220f37
SHA172b108134cac9476fb1eccb6cdbcc8a2e6127c55
SHA256fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
SHA51267bd2d6906194b48f36eb1a47152cd91ed8ae323894f5dbf281fc55674e85ffee76798a3b9c448d4d2c569722845a63bb849b66ae798a087c174931d92ed2e30
-
\Users\Admin\AppData\Roaming\successhvc641.exeMD5
26006717388ba82289d13403ed220f37
SHA172b108134cac9476fb1eccb6cdbcc8a2e6127c55
SHA256fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
SHA51267bd2d6906194b48f36eb1a47152cd91ed8ae323894f5dbf281fc55674e85ffee76798a3b9c448d4d2c569722845a63bb849b66ae798a087c174931d92ed2e30
-
memory/820-66-0x0000000000250000-0x000000000025C000-memory.dmpFilesize
48KB
-
memory/820-63-0x0000000000F50000-0x000000000102C000-memory.dmpFilesize
880KB
-
memory/820-65-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/820-68-0x0000000004DC0000-0x0000000004E2A000-memory.dmpFilesize
424KB
-
memory/828-58-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/828-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/828-56-0x000000006FB41000-0x000000006FB43000-memory.dmpFilesize
8KB
-
memory/828-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/828-55-0x00000000720C1000-0x00000000720C4000-memory.dmpFilesize
12KB
-
memory/1380-76-0x0000000006D70000-0x0000000006EAF000-memory.dmpFilesize
1.2MB
-
memory/1380-81-0x0000000007D40000-0x0000000007E64000-memory.dmpFilesize
1.1MB
-
memory/1480-77-0x0000000000D00000-0x0000000000D05000-memory.dmpFilesize
20KB
-
memory/1480-78-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1480-79-0x0000000002110000-0x0000000002413000-memory.dmpFilesize
3.0MB
-
memory/1480-80-0x0000000000980000-0x0000000000A14000-memory.dmpFilesize
592KB
-
memory/1728-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1728-70-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1728-74-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/1728-75-0x00000000003E0000-0x00000000003F5000-memory.dmpFilesize
84KB
-
memory/1728-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1756-67-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB