Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 13:04
Static task
static1
Behavioral task
behavioral1
Sample
Alligator Pty Ltd Quote.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Alligator Pty Ltd Quote.rtf
Resource
win10-en-20211208
General
-
Target
Alligator Pty Ltd Quote.rtf
-
Size
11KB
-
MD5
5ca2cd21f345b9af1dcb83321284c60f
-
SHA1
858e1756867ad4c771ea5065fc5b42de2e1f0a7c
-
SHA256
d76844ff49e147c7c93bafadbafe15eced2ab1ab22ffe4a0fd93434bba4351f8
-
SHA512
6be94ca0705eaa78c437819b0a66d2f87c34ceab51ab4b73e632b5c5961eb54157bd746b3012e640a3880346a539a71f7f3bf0b022c612486ee1f18768780634
Malware Config
Extracted
formbook
4.1
cw22
betvoy206.com
nftstoners.com
tirupatibuilder.com
gulldesigns.com
shemhq.com
boricosmetic.com
bitcoinbillionaireboy.com
theflypaperplanes.com
retrocartours.com
yangzhie326.com
cheepchain.com
sentryr.com
luckirentalhomes.com
pointssquashers.com
dianasarabiantreasures.com
calendarsilo.com
sublike21.xyz
gajubg0up.xyz
lousfoodreviews.com
fades.site
276a.xyz
chopkingstamp.com
parcelfrance.com
lcntrust.com
aeeg-austria.com
trogen24.net
widepeepohappy.xyz
hogekortingen.com
trump-is-right.net
legacyfarmsgeorgia.com
dingbuzhule.com
teckelgruppe-raben.com
qianshuhua.com
onsdia.xyz
sectorquant.com
automatenstudent.com
bathkithcenandtile.com
lasvegasphonerepairs.com
riselsat.com
myvafterdark.com
whispersystems.net
technicolorday.com
renetextile.xyz
cchcolo.com
professorjoshi.com
capybarashop.com
alfredoreyessci.com
w124blog.com
vdsdev77.com
helloentepriseg1.com
denlab.net
triviamillionairewin.com
jelofly.com
09m370uz.xyz
reple-top2.com
riosgames.xyz
teaberryadvisors.com
satgerv.online
galenika.net
landspeedlogistics.com
familiesgivinghope.com
moisuhop-channel.xyz
chambres-d-hotes-marrakech.com
realizefinanceirorennerr.com
playthemove.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/900-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2012-78-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1368 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
manncj543813.exemanncj543813.exepid process 1296 manncj543813.exe 900 manncj543813.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1368 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
manncj543813.exemanncj543813.execmd.exedescription pid process target process PID 1296 set thread context of 900 1296 manncj543813.exe manncj543813.exe PID 900 set thread context of 1416 900 manncj543813.exe Explorer.EXE PID 2012 set thread context of 1416 2012 cmd.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
manncj543813.execmd.exepid process 900 manncj543813.exe 900 manncj543813.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe 2012 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
manncj543813.execmd.exepid process 900 manncj543813.exe 900 manncj543813.exe 900 manncj543813.exe 2012 cmd.exe 2012 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
manncj543813.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 900 manncj543813.exe Token: SeDebugPrivilege 2012 cmd.exe Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE 1532 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEmanncj543813.exeExplorer.EXEcmd.exedescription pid process target process PID 1368 wrote to memory of 1296 1368 EQNEDT32.EXE manncj543813.exe PID 1368 wrote to memory of 1296 1368 EQNEDT32.EXE manncj543813.exe PID 1368 wrote to memory of 1296 1368 EQNEDT32.EXE manncj543813.exe PID 1368 wrote to memory of 1296 1368 EQNEDT32.EXE manncj543813.exe PID 1532 wrote to memory of 1072 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1072 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1072 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1072 1532 WINWORD.EXE splwow64.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1296 wrote to memory of 900 1296 manncj543813.exe manncj543813.exe PID 1416 wrote to memory of 2012 1416 Explorer.EXE cmd.exe PID 1416 wrote to memory of 2012 1416 Explorer.EXE cmd.exe PID 1416 wrote to memory of 2012 1416 Explorer.EXE cmd.exe PID 1416 wrote to memory of 2012 1416 Explorer.EXE cmd.exe PID 2012 wrote to memory of 1168 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1168 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1168 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1168 2012 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Alligator Pty Ltd Quote.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\manncj543813.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\manncj543813.exe"C:\Users\Admin\AppData\Roaming\manncj543813.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\manncj543813.exe"C:\Users\Admin\AppData\Roaming\manncj543813.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\manncj543813.exeMD5
30960d3f020c7f741a8ef2a0dc78013c
SHA1e7365401cedd20b086cdb9030238baf130edb0bb
SHA256459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198
-
C:\Users\Admin\AppData\Roaming\manncj543813.exeMD5
30960d3f020c7f741a8ef2a0dc78013c
SHA1e7365401cedd20b086cdb9030238baf130edb0bb
SHA256459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198
-
C:\Users\Admin\AppData\Roaming\manncj543813.exeMD5
30960d3f020c7f741a8ef2a0dc78013c
SHA1e7365401cedd20b086cdb9030238baf130edb0bb
SHA256459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198
-
\Users\Admin\AppData\Roaming\manncj543813.exeMD5
30960d3f020c7f741a8ef2a0dc78013c
SHA1e7365401cedd20b086cdb9030238baf130edb0bb
SHA256459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198
-
memory/900-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/900-74-0x0000000000B70000-0x0000000000E73000-memory.dmpFilesize
3.0MB
-
memory/900-75-0x00000000005E0000-0x00000000005F4000-memory.dmpFilesize
80KB
-
memory/900-70-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/900-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1072-67-0x000007FEFC371000-0x000007FEFC373000-memory.dmpFilesize
8KB
-
memory/1296-63-0x0000000000B00000-0x0000000000B6A000-memory.dmpFilesize
424KB
-
memory/1296-65-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1296-66-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/1296-68-0x00000000052A0000-0x000000000530A000-memory.dmpFilesize
424KB
-
memory/1416-81-0x0000000006E00000-0x0000000006F43000-memory.dmpFilesize
1.3MB
-
memory/1416-76-0x0000000006BE0000-0x0000000006CF4000-memory.dmpFilesize
1.1MB
-
memory/1532-56-0x00000000708E1000-0x00000000708E3000-memory.dmpFilesize
8KB
-
memory/1532-58-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1532-55-0x0000000072E61000-0x0000000072E64000-memory.dmpFilesize
12KB
-
memory/1532-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1532-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2012-77-0x0000000049DE0000-0x0000000049E2C000-memory.dmpFilesize
304KB
-
memory/2012-78-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2012-79-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/2012-80-0x0000000001D80000-0x0000000001E13000-memory.dmpFilesize
588KB