formbook | 1407bcb68789cb9850c5006301431cc9d1536cf6c8e63a97eb50ba11cd724ddb

Analysis

max time kernel
207s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_00980.rtf
Size

18KB
MD5

aff328a66fdc5b3e1233e34ea52b5210
SHA1

944592196bd7042fe76dd72af790be102106e79a
SHA256

1407bcb68789cb9850c5006301431cc9d1536cf6c8e63a97eb50ba11cd724ddb
SHA512

7bcc02d424de8e754aa4372ebd12cda6cd229053bf4f27ba4d9c712e41bf5ea064279677931bfb29532c43fced550cfbfd122fc4da531b34808f24e97ed82bac
SSDEEP

384:J43W5XH6i1kVYAlJGusEGKVOWQn5sQwzFz6ty1JCeVhSRK6XMu6:em5XHf2VYeUusEGKVdQuVzR6U1JHhmXG

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1908 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1740 vbc.exe
1000 vbc.exe
1812 vbc.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation vbc.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEcontrol.exe

pid process

1908 EQNEDT32.EXE
1908 EQNEDT32.EXE
1908 EQNEDT32.EXE
1908 EQNEDT32.EXE
1092 control.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	1908	EQNEDT32.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	vbc.exe

pid	process
1908	EQNEDT32.EXE
1908	EQNEDT32.EXE
1908	EQNEDT32.EXE
1908	EQNEDT32.EXE
1092	control.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execontrol.exe

description	pid	process	target process
PID 1740 set thread context of 1812	1740	vbc.exe	vbc.exe
PID 1812 set thread context of 1264	1812	vbc.exe	Explorer.EXE
PID 1092 set thread context of 1264	1092	control.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1908 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1908	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEcontrol.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1516 WINWORD.EXE

pid	process
1516	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

vbc.exevbc.execontrol.exe

pid	process
1740	vbc.exe
1740	vbc.exe
1812	vbc.exe
1812	vbc.exe
1812	vbc.exe
1812	vbc.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.execontrol.exe

pid process

1812 vbc.exe
1812 vbc.exe
1812 vbc.exe
1092 control.exe
1092 control.exe
1092 control.exe
1092 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.execontrol.exe

description pid process

Token: SeDebugPrivilege 1740 vbc.exe
Token: SeDebugPrivilege 1812 vbc.exe
Token: SeDebugPrivilege 1092 control.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1516 WINWORD.EXE
1516 WINWORD.EXE

pid	process
1264	Explorer.EXE

pid	process
1812	vbc.exe
1812	vbc.exe
1812	vbc.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe

description	pid	process
Token: SeDebugPrivilege	1740	vbc.exe
Token: SeDebugPrivilege	1812	vbc.exe
Token: SeDebugPrivilege	1092	control.exe

pid	process
1516	WINWORD.EXE
1516	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1908 wrote to memory of 1740	1908	EQNEDT32.EXE	vbc.exe
PID 1908 wrote to memory of 1740	1908	EQNEDT32.EXE	vbc.exe
PID 1908 wrote to memory of 1740	1908	EQNEDT32.EXE	vbc.exe
PID 1908 wrote to memory of 1740	1908	EQNEDT32.EXE	vbc.exe
PID 1516 wrote to memory of 1196	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1196	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1196	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1196	1516	WINWORD.EXE	splwow64.exe
PID 1740 wrote to memory of 1000	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1000	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1000	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1000	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1812	1740	vbc.exe	vbc.exe
PID 1264 wrote to memory of 1092	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1092	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1092	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1092	1264	Explorer.EXE	control.exe
PID 1092 wrote to memory of 2020	1092	control.exe	Firefox.exe
PID 1092 wrote to memory of 2020	1092	control.exe	Firefox.exe
PID 1092 wrote to memory of 2020	1092	control.exe	Firefox.exe
PID 1092 wrote to memory of 2020	1092	control.exe	Firefox.exe
PID 1092 wrote to memory of 2020	1092	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document_00980.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1196

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1000

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
C:\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
C:\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
C:\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
922KB

MD5
dda1b03a5cd2ca37c96b7daf5e3a8ed7

SHA1
c70e5f58e61980d39608f0795879bf012dbbbca2

SHA256
79f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d

SHA512
bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f

Download Submit
\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
\Users\Public\vbc.exe

Filesize
938KB

MD5
4cf9ee4def8a823bc5132f8f91c083d7

SHA1
73e85483bc4eaa7ff3f7ebfa89c48dcf23b13ce4

SHA256
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b

SHA512
1a5bdfb255d93ed6cb38e9f4cb05531a4a73d5d8a571fa610de5f51fe2682cb052055c39f1bc1006a0a650d63905b1c115de7b782fffc59793beb7ee5db23d77

Download Submit
memory/1092-96-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1092-97-0x00000000004B0000-0x000000000053F000-memory.dmp

Filesize
572KB

Download
memory/1092-95-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1092-94-0x0000000000AD0000-0x0000000000AEF000-memory.dmp

Filesize
124KB

Download
memory/1092-92-0x0000000000000000-mapping.dmp

Download
memory/1092-99-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1196-69-0x0000000000000000-mapping.dmp

Download
memory/1196-70-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1264-91-0x00000000067E0000-0x0000000006913000-memory.dmp

Filesize
1.2MB

Download
memory/1264-102-0x0000000004950000-0x0000000004AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1264-101-0x000007FE9A6C0000-0x000007FE9A6CA000-memory.dmp

Filesize
40KB

Download
memory/1264-100-0x000007FEF61E0000-0x000007FEF6323000-memory.dmp

Filesize
1.3MB

Download
memory/1264-98-0x0000000004950000-0x0000000004AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-54-0x0000000072931000-0x0000000072934000-memory.dmp

Filesize
12KB

Download
memory/1516-55-0x00000000703B1000-0x00000000703B3000-memory.dmp

Filesize
8KB

Download
memory/1516-73-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1516-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1516-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1516-57-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1516-58-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1740-64-0x0000000000000000-mapping.dmp

Download
memory/1740-67-0x00000000001A0000-0x0000000000290000-memory.dmp

Filesize
960KB

Download
memory/1740-75-0x00000000051C0000-0x0000000005266000-memory.dmp

Filesize
664KB

Download
memory/1740-76-0x0000000005580000-0x00000000055EE000-memory.dmp

Filesize
440KB

Download
memory/1740-74-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1740-71-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/1812-87-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1812-88-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/1812-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-82-0x00000000004012B0-mapping.dmp

Download
memory/1812-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-90-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1812-89-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download