Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
RFQ- PO 31005.rtf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ- PO 31005.rtf
Resource
win10v2004-20220414-en
General
-
Target
RFQ- PO 31005.rtf
-
Size
4KB
-
MD5
3917a40caa205181ac6e73239ad3a8ee
-
SHA1
bbb50ef471084e5e3c7fdb41f1c7cb078c1d9a33
-
SHA256
f8d38396ca27592174d246b82f3fdfb2a1b0cecc296d67d236cf0502d6bf1ce8
-
SHA512
6743d699dd0bd8dc8001f3912c2b87d7dada1f6a7bcd3b345b54bb97cd0ac4e90ccf9512e720f48b7cfad26ad8ebaf44313077c418b528c3ce18e0d000eed456
Malware Config
Extracted
formbook
4.1
nk6l
cbnextra.com
entitysystemsinc.com
55midwoodave.com
ebelizzi.com
khojcity.com
1527brokenoakdrive.site
housinghproperties.com
ratiousa.com
lrcrepresentacoes.net
tocoec.net
khadamatdemnate.com
davidkastner.xyz
gardeniaresort.com
qiantangguoji.com
visaprepaidprocessinq.com
cristinamadara.com
semapisus.xyz
mpwebagency.net
alibabasdeli.com
gigasupplies.com
quantumskillset.com
eajui136.xyz
patsanchezelpaso.com
trined.mobi
amaturz.info
approveprvqsx.xyz
fronterapost.house
clairewashere.site
xn--3jst70hg8f.com
thursdaynightthriller.com
primacykapjlt.xyz
vaginette.site
olitusd.com
paypal-caseid521.com
preose.xyz
ferbsqlv28.club
iffiliatefreedom.com
okdahotel.com
cochuzyan.xyz
hotyachts.net
diamond-beauties.com
storyofsol.com
xianshucai.net
venusmedicalarts.com
energiaorgonu.com
savannah.biz
poeticdaily.com
wilddalmatian.com
kdydkyqksqucyuyen.com
meanmod.xyz
kaka.digital
viewcision.com
wowzerbackupandrestore-us.com
hydrogendatapower.com
427521.com
ponto-bras.space
chevalsk.com
hnftdl.com
nanasyhogar.com
createacarepack.com
wildkraeuter-wochenende.com
uchihomedeco.com
quintongiang.com
mnbvending.com
rthearts.com
Signatures
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/976-74-0x000000000041F0F0-mapping.dmp formbook behavioral1/memory/976-77-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1524-84-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1696 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
word.exemijdipei.exemijdipei.exepid process 1664 word.exe 704 mijdipei.exe 976 mijdipei.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEword.exemijdipei.exepid process 1696 EQNEDT32.EXE 1664 word.exe 704 mijdipei.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mijdipei.exemijdipei.exehelp.exedescription pid process target process PID 704 set thread context of 976 704 mijdipei.exe mijdipei.exe PID 976 set thread context of 1212 976 mijdipei.exe Explorer.EXE PID 1524 set thread context of 1212 1524 help.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1280 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
mijdipei.exehelp.exepid process 976 mijdipei.exe 976 mijdipei.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe 1524 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mijdipei.exehelp.exepid process 976 mijdipei.exe 976 mijdipei.exe 976 mijdipei.exe 1524 help.exe 1524 help.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
mijdipei.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 976 mijdipei.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 1524 help.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1280 WINWORD.EXE 1280 WINWORD.EXE -
Suspicious use of UnmapMainImage 9 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEword.exemijdipei.exeExplorer.EXEhelp.exeWINWORD.EXEdescription pid process target process PID 1696 wrote to memory of 1664 1696 EQNEDT32.EXE word.exe PID 1696 wrote to memory of 1664 1696 EQNEDT32.EXE word.exe PID 1696 wrote to memory of 1664 1696 EQNEDT32.EXE word.exe PID 1696 wrote to memory of 1664 1696 EQNEDT32.EXE word.exe PID 1664 wrote to memory of 704 1664 word.exe mijdipei.exe PID 1664 wrote to memory of 704 1664 word.exe mijdipei.exe PID 1664 wrote to memory of 704 1664 word.exe mijdipei.exe PID 1664 wrote to memory of 704 1664 word.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 704 wrote to memory of 976 704 mijdipei.exe mijdipei.exe PID 1212 wrote to memory of 1524 1212 Explorer.EXE help.exe PID 1212 wrote to memory of 1524 1212 Explorer.EXE help.exe PID 1212 wrote to memory of 1524 1212 Explorer.EXE help.exe PID 1212 wrote to memory of 1524 1212 Explorer.EXE help.exe PID 1524 wrote to memory of 876 1524 help.exe cmd.exe PID 1524 wrote to memory of 876 1524 help.exe cmd.exe PID 1524 wrote to memory of 876 1524 help.exe cmd.exe PID 1524 wrote to memory of 876 1524 help.exe cmd.exe PID 1280 wrote to memory of 1004 1280 WINWORD.EXE splwow64.exe PID 1280 wrote to memory of 1004 1280 WINWORD.EXE splwow64.exe PID 1280 wrote to memory of 1004 1280 WINWORD.EXE splwow64.exe PID 1280 wrote to memory of 1004 1280 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ- PO 31005.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mijdipei.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mijdipei.exeC:\Users\Admin\AppData\Local\Temp\mijdipei.exe C:\Users\Admin\AppData\Local\Temp\psflwkl3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mijdipei.exeC:\Users\Admin\AppData\Local\Temp\mijdipei.exe C:\Users\Admin\AppData\Local\Temp\psflwkl4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mijdipei.exeFilesize
128KB
MD54c77c995cbfa3ad3c911c9d861e742d4
SHA146dc554008f0c540e38c629d2121e6cff859bad1
SHA256f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c
SHA51271f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac
-
C:\Users\Admin\AppData\Local\Temp\mijdipei.exeFilesize
128KB
MD54c77c995cbfa3ad3c911c9d861e742d4
SHA146dc554008f0c540e38c629d2121e6cff859bad1
SHA256f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c
SHA51271f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac
-
C:\Users\Admin\AppData\Local\Temp\mijdipei.exeFilesize
128KB
MD54c77c995cbfa3ad3c911c9d861e742d4
SHA146dc554008f0c540e38c629d2121e6cff859bad1
SHA256f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c
SHA51271f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac
-
C:\Users\Admin\AppData\Local\Temp\psflwklFilesize
4KB
MD537c96298ece1386b76d64460f4e6dd2c
SHA1cff113350ab6efaa4472e9ad4700223169b01a88
SHA256a6e74154b61567019de2bdda82ba5a108bbaf56ed00ee739c31a16b005af21b0
SHA512ceaa78241328aac5dcda08b307cec56fbc5c98c25a17e3ef8ab397f5f94dd68df310b60887fe76ed6a65c2f7aae9b5ceb6e18a0423133c8e924ee26277213c93
-
C:\Users\Admin\AppData\Local\Temp\yq8dym007pk5vjjczyg6Filesize
184KB
MD554f30b43ff0189d46c7cc63193d16bc4
SHA12b65de4d9a8dcb416fcb3dc2992e4449380e28f2
SHA2564329a7da3cf2a9d463c5d2c22a384c47d961b1d070a86bf952c19c1d8e6235f0
SHA5125a1d5cc96a3813368c9b0b244713757adaf81973fa27f59addf61fdf0a7d294a5dcc40f442594c61d8a77bc6f8b94605d903639c627dc772e4a54bbd5ffcf91d
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
270KB
MD5a2b4a8d3bf203ac362d86594a2c64a47
SHA169d238628b844b2479388c8a49489543887e5a76
SHA2561cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef
SHA5129bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
270KB
MD5a2b4a8d3bf203ac362d86594a2c64a47
SHA169d238628b844b2479388c8a49489543887e5a76
SHA2561cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef
SHA5129bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3
-
\Users\Admin\AppData\Local\Temp\mijdipei.exeFilesize
128KB
MD54c77c995cbfa3ad3c911c9d861e742d4
SHA146dc554008f0c540e38c629d2121e6cff859bad1
SHA256f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c
SHA51271f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac
-
\Users\Admin\AppData\Local\Temp\mijdipei.exeFilesize
128KB
MD54c77c995cbfa3ad3c911c9d861e742d4
SHA146dc554008f0c540e38c629d2121e6cff859bad1
SHA256f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c
SHA51271f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac
-
\Users\Admin\AppData\Roaming\word.exeFilesize
270KB
MD5a2b4a8d3bf203ac362d86594a2c64a47
SHA169d238628b844b2479388c8a49489543887e5a76
SHA2561cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef
SHA5129bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3
-
memory/704-66-0x0000000000000000-mapping.dmp
-
memory/876-82-0x0000000000000000-mapping.dmp
-
memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/976-74-0x000000000041F0F0-mapping.dmp
-
memory/976-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/976-78-0x0000000000B90000-0x0000000000E93000-memory.dmpFilesize
3.0MB
-
memory/976-79-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1004-91-0x000007FEFC281000-0x000007FEFC283000-memory.dmpFilesize
8KB
-
memory/1004-90-0x0000000000000000-mapping.dmp
-
memory/1212-80-0x0000000002A40000-0x0000000002B19000-memory.dmpFilesize
868KB
-
memory/1212-92-0x0000000006D10000-0x0000000006DF3000-memory.dmpFilesize
908KB
-
memory/1212-89-0x0000000006D10000-0x0000000006DF3000-memory.dmpFilesize
908KB
-
memory/1280-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1280-57-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1280-55-0x00000000708A1000-0x00000000708A3000-memory.dmpFilesize
8KB
-
memory/1280-94-0x000000007188D000-0x0000000071898000-memory.dmpFilesize
44KB
-
memory/1280-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1280-54-0x0000000072E21000-0x0000000072E24000-memory.dmpFilesize
12KB
-
memory/1280-86-0x000000007188D000-0x0000000071898000-memory.dmpFilesize
44KB
-
memory/1280-58-0x000000007188D000-0x0000000071898000-memory.dmpFilesize
44KB
-
memory/1524-84-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1524-87-0x0000000000600000-0x0000000000693000-memory.dmpFilesize
588KB
-
memory/1524-85-0x00000000007A0000-0x0000000000AA3000-memory.dmpFilesize
3.0MB
-
memory/1524-81-0x0000000000000000-mapping.dmp
-
memory/1524-83-0x0000000000F10000-0x0000000000F16000-memory.dmpFilesize
24KB
-
memory/1664-61-0x0000000000000000-mapping.dmp