Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 15:43
Static task
static1
Behavioral task
behavioral1
Sample
000003_20221205.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
000003_20221205.rtf
Resource
win10v2004-20220901-en
General
-
Target
000003_20221205.rtf
-
Size
3KB
-
MD5
efe3b23b80f8c3e55b9586034492cabc
-
SHA1
82bd085b8521e9f3454a3875c4f9506305ab5d46
-
SHA256
6c8cbe9aa83aa0a443e456f0c24e0868ae91485dd88798d1094d8bc295c5e20d
-
SHA512
1afce39e8fc9e328a1c7448c5ba09d3e9ca5175559ef442ab86f381f83e3494de7196f0aeb143e0a5dadeed0fdfafaad16c0f7eb1f2d328908231588d688a028
Malware Config
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1084-83-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1528-87-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 732 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
word.exemdjqnwsns.exemdjqnwsns.exepid process 1672 word.exe 704 mdjqnwsns.exe 1084 mdjqnwsns.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEword.exemdjqnwsns.exepid process 732 EQNEDT32.EXE 1672 word.exe 704 mdjqnwsns.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
mdjqnwsns.exemdjqnwsns.exenetsh.exedescription pid process target process PID 704 set thread context of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 1084 set thread context of 1352 1084 mdjqnwsns.exe Explorer.EXE PID 1084 set thread context of 1352 1084 mdjqnwsns.exe Explorer.EXE PID 1528 set thread context of 1352 1528 netsh.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\word.exe nsis_installer_1 \Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
mdjqnwsns.exenetsh.exepid process 1084 mdjqnwsns.exe 1084 mdjqnwsns.exe 1084 mdjqnwsns.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe 1528 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
mdjqnwsns.exemdjqnwsns.exenetsh.exepid process 704 mdjqnwsns.exe 1084 mdjqnwsns.exe 1084 mdjqnwsns.exe 1084 mdjqnwsns.exe 1084 mdjqnwsns.exe 1528 netsh.exe 1528 netsh.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
mdjqnwsns.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 1084 mdjqnwsns.exe Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeDebugPrivilege 1528 netsh.exe Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1352 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1488 WINWORD.EXE 1488 WINWORD.EXE -
Suspicious use of UnmapMainImage 9 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEword.exemdjqnwsns.exemdjqnwsns.exenetsh.exeWINWORD.EXEdescription pid process target process PID 732 wrote to memory of 1672 732 EQNEDT32.EXE word.exe PID 732 wrote to memory of 1672 732 EQNEDT32.EXE word.exe PID 732 wrote to memory of 1672 732 EQNEDT32.EXE word.exe PID 732 wrote to memory of 1672 732 EQNEDT32.EXE word.exe PID 1672 wrote to memory of 704 1672 word.exe mdjqnwsns.exe PID 1672 wrote to memory of 704 1672 word.exe mdjqnwsns.exe PID 1672 wrote to memory of 704 1672 word.exe mdjqnwsns.exe PID 1672 wrote to memory of 704 1672 word.exe mdjqnwsns.exe PID 704 wrote to memory of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 704 wrote to memory of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 704 wrote to memory of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 704 wrote to memory of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 704 wrote to memory of 1084 704 mdjqnwsns.exe mdjqnwsns.exe PID 1084 wrote to memory of 1528 1084 mdjqnwsns.exe netsh.exe PID 1084 wrote to memory of 1528 1084 mdjqnwsns.exe netsh.exe PID 1084 wrote to memory of 1528 1084 mdjqnwsns.exe netsh.exe PID 1084 wrote to memory of 1528 1084 mdjqnwsns.exe netsh.exe PID 1528 wrote to memory of 296 1528 netsh.exe cmd.exe PID 1528 wrote to memory of 296 1528 netsh.exe cmd.exe PID 1528 wrote to memory of 296 1528 netsh.exe cmd.exe PID 1528 wrote to memory of 296 1528 netsh.exe cmd.exe PID 1488 wrote to memory of 1840 1488 WINWORD.EXE splwow64.exe PID 1488 wrote to memory of 1840 1488 WINWORD.EXE splwow64.exe PID 1488 wrote to memory of 1840 1488 WINWORD.EXE splwow64.exe PID 1488 wrote to memory of 1840 1488 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\000003_20221205.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exe"C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exe" C:\Users\Admin\AppData\Local\Temp\ntqne.lhw3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exe"C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exeFilesize
99KB
MD511c3ab1bdeb529b2342d00f23bff49a9
SHA100b4c08bcbe29e58b45fa416228244f2c51a2370
SHA256b71cb083b23743d6f22f94ab761cfb1d5f4adeaf52931c45e80cdc1c6fbf311f
SHA5128504a88bc5e9e6009d4aad09d4e0673f5d6ce6faee355c6355d63f141be7ec4e59a202a8faf307c0bec703f6240c971eb0ce9c56412c3301abe2783bfddde706
-
C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exeFilesize
99KB
MD511c3ab1bdeb529b2342d00f23bff49a9
SHA100b4c08bcbe29e58b45fa416228244f2c51a2370
SHA256b71cb083b23743d6f22f94ab761cfb1d5f4adeaf52931c45e80cdc1c6fbf311f
SHA5128504a88bc5e9e6009d4aad09d4e0673f5d6ce6faee355c6355d63f141be7ec4e59a202a8faf307c0bec703f6240c971eb0ce9c56412c3301abe2783bfddde706
-
C:\Users\Admin\AppData\Local\Temp\mdjqnwsns.exeFilesize
99KB
MD511c3ab1bdeb529b2342d00f23bff49a9
SHA100b4c08bcbe29e58b45fa416228244f2c51a2370
SHA256b71cb083b23743d6f22f94ab761cfb1d5f4adeaf52931c45e80cdc1c6fbf311f
SHA5128504a88bc5e9e6009d4aad09d4e0673f5d6ce6faee355c6355d63f141be7ec4e59a202a8faf307c0bec703f6240c971eb0ce9c56412c3301abe2783bfddde706
-
C:\Users\Admin\AppData\Local\Temp\ntqne.lhwFilesize
5KB
MD59628a17900926e22be1480ff8afc0d23
SHA124abf02aae778ca21d3d3dcea0424657073d6379
SHA2561f2569198ff43e2b4631551b476548358bb3897ea7e3b225a7510c205d9e0cf2
SHA5122c162cb7f39c68c2bad0b0162a81da64dab74970ad45eb4ccc5a83d112c9605c1a0bfad4e21247a74fca03adc27910aa7511fb72d9ca5990aec61dae89c5cc91
-
C:\Users\Admin\AppData\Local\Temp\rfwhrrpvpxt.zcFilesize
185KB
MD52022819749af166933226201a6be48e0
SHA1563dfb208ec2d37d0a15af9f206ff3ba2b78cb65
SHA25694a3aec6aeffccb1ca748e779e4e05e1573133d666e187f8404e82febf464423
SHA51248a956c6de02d29da4af65de70d018f5fb0ada90b67722cde33f0ad40e8b65a0e39f64ae85f20b90013b0b408137d63d3ddc8d82ee112fb5ee0124011cafa61d
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
478KB
MD59bd360dd34c4b615db32bcb9c1b3c661
SHA1a9df132add59e1d0fa66ecc9b45a79d99be93a45
SHA2567dbd60ad5baa025d23d2f14c79ab27d6294f897485356329b29da46159e4a537
SHA5126c726f0ee4e4113643970f5d9538b9dfd093a24a9232e59e0e2f120162a484a40ab67d89af4680ad87f89d1c558b4dce4293e3fc3017d826376b6f865d1cbb45
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
478KB
MD59bd360dd34c4b615db32bcb9c1b3c661
SHA1a9df132add59e1d0fa66ecc9b45a79d99be93a45
SHA2567dbd60ad5baa025d23d2f14c79ab27d6294f897485356329b29da46159e4a537
SHA5126c726f0ee4e4113643970f5d9538b9dfd093a24a9232e59e0e2f120162a484a40ab67d89af4680ad87f89d1c558b4dce4293e3fc3017d826376b6f865d1cbb45
-
\Users\Admin\AppData\Local\Temp\mdjqnwsns.exeFilesize
99KB
MD511c3ab1bdeb529b2342d00f23bff49a9
SHA100b4c08bcbe29e58b45fa416228244f2c51a2370
SHA256b71cb083b23743d6f22f94ab761cfb1d5f4adeaf52931c45e80cdc1c6fbf311f
SHA5128504a88bc5e9e6009d4aad09d4e0673f5d6ce6faee355c6355d63f141be7ec4e59a202a8faf307c0bec703f6240c971eb0ce9c56412c3301abe2783bfddde706
-
\Users\Admin\AppData\Local\Temp\mdjqnwsns.exeFilesize
99KB
MD511c3ab1bdeb529b2342d00f23bff49a9
SHA100b4c08bcbe29e58b45fa416228244f2c51a2370
SHA256b71cb083b23743d6f22f94ab761cfb1d5f4adeaf52931c45e80cdc1c6fbf311f
SHA5128504a88bc5e9e6009d4aad09d4e0673f5d6ce6faee355c6355d63f141be7ec4e59a202a8faf307c0bec703f6240c971eb0ce9c56412c3301abe2783bfddde706
-
\Users\Admin\AppData\Roaming\word.exeFilesize
478KB
MD59bd360dd34c4b615db32bcb9c1b3c661
SHA1a9df132add59e1d0fa66ecc9b45a79d99be93a45
SHA2567dbd60ad5baa025d23d2f14c79ab27d6294f897485356329b29da46159e4a537
SHA5126c726f0ee4e4113643970f5d9538b9dfd093a24a9232e59e0e2f120162a484a40ab67d89af4680ad87f89d1c558b4dce4293e3fc3017d826376b6f865d1cbb45
-
memory/296-84-0x0000000000000000-mapping.dmp
-
memory/704-67-0x0000000000000000-mapping.dmp
-
memory/1084-80-0x00000000002E0000-0x00000000002F4000-memory.dmpFilesize
80KB
-
memory/1084-77-0x0000000000BD0000-0x0000000000ED3000-memory.dmpFilesize
3.0MB
-
memory/1084-83-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1084-79-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/1084-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1084-74-0x000000000041F0D0-mapping.dmp
-
memory/1352-81-0x0000000007350000-0x00000000074D6000-memory.dmpFilesize
1.5MB
-
memory/1352-78-0x0000000006880000-0x0000000006989000-memory.dmpFilesize
1.0MB
-
memory/1352-92-0x0000000007EB0000-0x0000000007FE1000-memory.dmpFilesize
1.2MB
-
memory/1352-85-0x0000000006880000-0x0000000006989000-memory.dmpFilesize
1.0MB
-
memory/1352-93-0x0000000007EB0000-0x0000000007FE1000-memory.dmpFilesize
1.2MB
-
memory/1488-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1488-60-0x000000007155D000-0x0000000071568000-memory.dmpFilesize
44KB
-
memory/1488-95-0x000000007155D000-0x0000000071568000-memory.dmpFilesize
44KB
-
memory/1488-55-0x0000000070571000-0x0000000070573000-memory.dmpFilesize
8KB
-
memory/1488-58-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1488-57-0x000000007155D000-0x0000000071568000-memory.dmpFilesize
44KB
-
memory/1488-54-0x0000000072AF1000-0x0000000072AF4000-memory.dmpFilesize
12KB
-
memory/1488-94-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1528-82-0x0000000000000000-mapping.dmp
-
memory/1528-90-0x0000000000A40000-0x0000000000AD3000-memory.dmpFilesize
588KB
-
memory/1528-86-0x0000000001610000-0x000000000162B000-memory.dmpFilesize
108KB
-
memory/1528-88-0x0000000000B10000-0x0000000000E13000-memory.dmpFilesize
3.0MB
-
memory/1528-87-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1672-62-0x0000000000000000-mapping.dmp
-
memory/1840-89-0x0000000000000000-mapping.dmp
-
memory/1840-91-0x000007FEFC001000-0x000007FEFC003000-memory.dmpFilesize
8KB