formbook | f8d38396ca27592174d246b82f3fdfb2a1b0cecc296d67d236cf0502d6bf1ce8

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ- PO 31005.rtf
Size

4KB
MD5

3917a40caa205181ac6e73239ad3a8ee
SHA1

bbb50ef471084e5e3c7fdb41f1c7cb078c1d9a33
SHA256

f8d38396ca27592174d246b82f3fdfb2a1b0cecc296d67d236cf0502d6bf1ce8
SHA512

6743d699dd0bd8dc8001f3912c2b87d7dada1f6a7bcd3b345b54bb97cd0ac4e90ccf9512e720f48b7cfad26ad8ebaf44313077c418b528c3ce18e0d000eed456

Score

10^/10

formbook nk6l rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/976-74-0x000000000041F0F0-mapping.dmp	formbook
behavioral1/memory/976-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1524-84-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1696 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

word.exemijdipei.exemijdipei.exe

pid process

1664 word.exe
704 mijdipei.exe
976 mijdipei.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEword.exemijdipei.exe

pid process

1696 EQNEDT32.EXE
1664 word.exe
704 mijdipei.exe

flow	pid	process
4	1696	EQNEDT32.EXE

pid	process
1664	word.exe
704	mijdipei.exe
976	mijdipei.exe

pid	process
1696	EQNEDT32.EXE
1664	word.exe
704	mijdipei.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mijdipei.exemijdipei.exehelp.exe

description	pid	process	target process
PID 704 set thread context of 976	704	mijdipei.exe	mijdipei.exe
PID 976 set thread context of 1212	976	mijdipei.exe	Explorer.EXE
PID 1524 set thread context of 1212	1524	help.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1696 EQNEDT32.EXE

pid	process
1696	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1280 WINWORD.EXE

pid	process
1280	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

mijdipei.exehelp.exe

pid	process
976	mijdipei.exe
976	mijdipei.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe
1524	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mijdipei.exehelp.exe

pid process

976 mijdipei.exe
976 mijdipei.exe
976 mijdipei.exe
1524 help.exe
1524 help.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mijdipei.exeExplorer.EXEhelp.exe

description	pid	process
Token: SeDebugPrivilege	976	mijdipei.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1524	help.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1280 WINWORD.EXE
1280 WINWORD.EXE

pid	process
1280	WINWORD.EXE
1280	WINWORD.EXE

Suspicious use of UnmapMainImage 9 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EQNEDT32.EXEword.exemijdipei.exeExplorer.EXEhelp.exeWINWORD.EXE

description	pid	process	target process
PID 1696 wrote to memory of 1664	1696	EQNEDT32.EXE	word.exe
PID 1696 wrote to memory of 1664	1696	EQNEDT32.EXE	word.exe
PID 1696 wrote to memory of 1664	1696	EQNEDT32.EXE	word.exe
PID 1696 wrote to memory of 1664	1696	EQNEDT32.EXE	word.exe
PID 1664 wrote to memory of 704	1664	word.exe	mijdipei.exe
PID 1664 wrote to memory of 704	1664	word.exe	mijdipei.exe
PID 1664 wrote to memory of 704	1664	word.exe	mijdipei.exe
PID 1664 wrote to memory of 704	1664	word.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 704 wrote to memory of 976	704	mijdipei.exe	mijdipei.exe
PID 1212 wrote to memory of 1524	1212	Explorer.EXE	help.exe
PID 1212 wrote to memory of 1524	1212	Explorer.EXE	help.exe
PID 1212 wrote to memory of 1524	1212	Explorer.EXE	help.exe
PID 1212 wrote to memory of 1524	1212	Explorer.EXE	help.exe
PID 1524 wrote to memory of 876	1524	help.exe	cmd.exe
PID 1524 wrote to memory of 876	1524	help.exe	cmd.exe
PID 1524 wrote to memory of 876	1524	help.exe	cmd.exe
PID 1524 wrote to memory of 876	1524	help.exe	cmd.exe
PID 1280 wrote to memory of 1004	1280	WINWORD.EXE	splwow64.exe
PID 1280 wrote to memory of 1004	1280	WINWORD.EXE	splwow64.exe
PID 1280 wrote to memory of 1004	1280	WINWORD.EXE	splwow64.exe
PID 1280 wrote to memory of 1004	1280	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ- PO 31005.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1004

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mijdipei.exe"
3⤵
PID:876

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\word.exe
C:\Users\Admin\AppData\Roaming\word.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\mijdipei.exe
C:\Users\Admin\AppData\Local\Temp\mijdipei.exe C:\Users\Admin\AppData\Local\Temp\psflwkl
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\mijdipei.exe
C:\Users\Admin\AppData\Local\Temp\mijdipei.exe C:\Users\Admin\AppData\Local\Temp\psflwkl
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mijdipei.exe
Filesize
128KB

MD5
4c77c995cbfa3ad3c911c9d861e742d4

SHA1
46dc554008f0c540e38c629d2121e6cff859bad1

SHA256
f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c

SHA512
71f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mijdipei.exe
Filesize
128KB

MD5
4c77c995cbfa3ad3c911c9d861e742d4

SHA1
46dc554008f0c540e38c629d2121e6cff859bad1

SHA256
f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c

SHA512
71f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mijdipei.exe
Filesize
128KB

MD5
4c77c995cbfa3ad3c911c9d861e742d4

SHA1
46dc554008f0c540e38c629d2121e6cff859bad1

SHA256
f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c

SHA512
71f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\psflwkl
Filesize
4KB

MD5
37c96298ece1386b76d64460f4e6dd2c

SHA1
cff113350ab6efaa4472e9ad4700223169b01a88

SHA256
a6e74154b61567019de2bdda82ba5a108bbaf56ed00ee739c31a16b005af21b0

SHA512
ceaa78241328aac5dcda08b307cec56fbc5c98c25a17e3ef8ab397f5f94dd68df310b60887fe76ed6a65c2f7aae9b5ceb6e18a0423133c8e924ee26277213c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\yq8dym007pk5vjjczyg6
Filesize
184KB

MD5
54f30b43ff0189d46c7cc63193d16bc4

SHA1
2b65de4d9a8dcb416fcb3dc2992e4449380e28f2

SHA256
4329a7da3cf2a9d463c5d2c22a384c47d961b1d070a86bf952c19c1d8e6235f0

SHA512
5a1d5cc96a3813368c9b0b244713757adaf81973fa27f59addf61fdf0a7d294a5dcc40f442594c61d8a77bc6f8b94605d903639c627dc772e4a54bbd5ffcf91d

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
Filesize
270KB

MD5
a2b4a8d3bf203ac362d86594a2c64a47

SHA1
69d238628b844b2479388c8a49489543887e5a76

SHA256
1cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef

SHA512
9bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
Filesize
270KB

MD5
a2b4a8d3bf203ac362d86594a2c64a47

SHA1
69d238628b844b2479388c8a49489543887e5a76

SHA256
1cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef

SHA512
9bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3

Download Submit
\Users\Admin\AppData\Local\Temp\mijdipei.exe
Filesize
128KB

MD5
4c77c995cbfa3ad3c911c9d861e742d4

SHA1
46dc554008f0c540e38c629d2121e6cff859bad1

SHA256
f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c

SHA512
71f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac

Download Submit
\Users\Admin\AppData\Local\Temp\mijdipei.exe
Filesize
128KB

MD5
4c77c995cbfa3ad3c911c9d861e742d4

SHA1
46dc554008f0c540e38c629d2121e6cff859bad1

SHA256
f26aab4e991c5fda2f8074bfccdd4074b7b3c3941bae290987de540a3f65044c

SHA512
71f4bc9c1b401661503567c80fc52bb56ec20c32fc4923455bb9c24b38643a51ba98fb561b6df5e3fb3c8e1504f45044e393c740b427f111feace56635b50eac

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
270KB

MD5
a2b4a8d3bf203ac362d86594a2c64a47

SHA1
69d238628b844b2479388c8a49489543887e5a76

SHA256
1cffa28790213a252d800eca590c73be9bba2648e61cc20ee95e3d880fcafbef

SHA512
9bc50331a553be866e2cde5503aa1a88bb236a4c31c199b794d3bc21002d11666f8e34d63ef4f0965eb13e0d422bbdc8db24604f5efdb65ea1a5d7b25c9864d3

Download Submit
memory/704-66-0x0000000000000000-mapping.dmp

Download
memory/876-82-0x0000000000000000-mapping.dmp

Download
memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-74-0x000000000041F0F0-mapping.dmp

Download
memory/976-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-78-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/976-79-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1004-91-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1212-80-0x0000000002A40000-0x0000000002B19000-memory.dmp

Filesize
868KB

Download
memory/1212-92-0x0000000006D10000-0x0000000006DF3000-memory.dmp

Filesize
908KB

Download
memory/1212-89-0x0000000006D10000-0x0000000006DF3000-memory.dmp

Filesize
908KB

Download
memory/1280-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1280-57-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x00000000708A1000-0x00000000708A3000-memory.dmp

Filesize
8KB

Download
memory/1280-94-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1280-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1280-54-0x0000000072E21000-0x0000000072E24000-memory.dmp

Filesize
12KB

Download
memory/1280-86-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1280-58-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1524-84-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1524-87-0x0000000000600000-0x0000000000693000-memory.dmp

Filesize
588KB

Download
memory/1524-85-0x00000000007A0000-0x0000000000AA3000-memory.dmp

Filesize
3.0MB

Download
memory/1524-81-0x0000000000000000-mapping.dmp

Download
memory/1524-83-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/1664-61-0x0000000000000000-mapping.dmp

Download