formbook | 0e8f31c511f0c4d2ab952cf42f4b6e2d21ed4612c054873a098e1075c8c76909

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KP_22-15-1201-8_ALM Tech_05.12.2022.xls
Size

1.5MB
MD5

278bd1188d5eb79992f50301e9c04011
SHA1

7f067b15020d3bd92b2c81ec9544a331e31bca8d
SHA256

0e8f31c511f0c4d2ab952cf42f4b6e2d21ed4612c054873a098e1075c8c76909
SHA512

1188302b674db1f0c65e73db7abe69b20c5e0c4f0f685c650e978ab0a6390b2ad025f308b4891f6c8b2779d46c259bbdba73a1051c137f4ad375dc8d25290cf8
SSDEEP

24576:MzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD/mlsr5XXXXXXXXXXXXUXXXXXXXrXXXu:ZMzzXtHY

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXEcmstp.exe

flow pid process

3 544 EQNEDT32.EXE
9 932 cmstp.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exexdzkcooocd.exexdzkcooocd.exe

pid process

1356 vbc.exe
1324 xdzkcooocd.exe
1944 xdzkcooocd.exe

flow	pid	process
3	544	EQNEDT32.EXE
9	932	cmstp.exe

pid	process
1356	vbc.exe
1324	xdzkcooocd.exe
1944	xdzkcooocd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xdzkcooocd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	xdzkcooocd.exe

Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvbc.exexdzkcooocd.execmstp.exe

pid process

544 EQNEDT32.EXE
544 EQNEDT32.EXE
544 EQNEDT32.EXE
1356 vbc.exe
1324 xdzkcooocd.exe
932 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
544	EQNEDT32.EXE
544	EQNEDT32.EXE
544	EQNEDT32.EXE
1356	vbc.exe
1324	xdzkcooocd.exe
932	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xdzkcooocd.exexdzkcooocd.execmstp.exe

description	pid	process	target process
PID 1324 set thread context of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1944 set thread context of 1220	1944	xdzkcooocd.exe	Explorer.EXE
PID 932 set thread context of 1220	932	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

544 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
544	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEcmstp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1720 EXCEL.EXE

pid	process
1720	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

xdzkcooocd.execmstp.exe

pid	process
1944	xdzkcooocd.exe
1944	xdzkcooocd.exe
1944	xdzkcooocd.exe
1944	xdzkcooocd.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

xdzkcooocd.exexdzkcooocd.execmstp.exe

pid process

1324 xdzkcooocd.exe
1944 xdzkcooocd.exe
1944 xdzkcooocd.exe
1944 xdzkcooocd.exe
932 cmstp.exe
932 cmstp.exe
932 cmstp.exe
932 cmstp.exe

pid	process
1324	xdzkcooocd.exe
1944	xdzkcooocd.exe
1944	xdzkcooocd.exe
1944	xdzkcooocd.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe
932	cmstp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

xdzkcooocd.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1944	xdzkcooocd.exe
Token: SeDebugPrivilege	932	cmstp.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1720 EXCEL.EXE
1720 EXCEL.EXE
1720 EXCEL.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1720	EXCEL.EXE
1720	EXCEL.EXE
1720	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEvbc.exexdzkcooocd.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 544 wrote to memory of 1356	544	EQNEDT32.EXE	vbc.exe
PID 544 wrote to memory of 1356	544	EQNEDT32.EXE	vbc.exe
PID 544 wrote to memory of 1356	544	EQNEDT32.EXE	vbc.exe
PID 544 wrote to memory of 1356	544	EQNEDT32.EXE	vbc.exe
PID 1356 wrote to memory of 1324	1356	vbc.exe	xdzkcooocd.exe
PID 1356 wrote to memory of 1324	1356	vbc.exe	xdzkcooocd.exe
PID 1356 wrote to memory of 1324	1356	vbc.exe	xdzkcooocd.exe
PID 1356 wrote to memory of 1324	1356	vbc.exe	xdzkcooocd.exe
PID 1324 wrote to memory of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1324 wrote to memory of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1324 wrote to memory of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1324 wrote to memory of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1324 wrote to memory of 1944	1324	xdzkcooocd.exe	xdzkcooocd.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 1220 wrote to memory of 932	1220	Explorer.EXE	cmstp.exe
PID 932 wrote to memory of 1992	932	cmstp.exe	Firefox.exe
PID 932 wrote to memory of 1992	932	cmstp.exe	Firefox.exe
PID 932 wrote to memory of 1992	932	cmstp.exe	Firefox.exe
PID 932 wrote to memory of 1992	932	cmstp.exe	Firefox.exe
PID 932 wrote to memory of 1992	932	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\KP_22-15-1201-8_ALM Tech_05.12.2022.xls"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1992

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
"C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe" C:\Users\Admin\AppData\Local\Temp\ciejdgh.ks
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
"C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ciejdgh.ks
Filesize
5KB

MD5
95f94f6c0937426a27ffe4a6c0c1f1ac

SHA1
c7e7e326ba7ce106921de134e87bf4b58251e763

SHA256
45919c2c09661fb3b6ea8078c9e14dfb963fd5b4756508319b6914a4fbfc5169

SHA512
f772938ab6c24a18e455a99296050193f717cf064738d595000f7204589a4a9280e96bb3b64017cd05e2d12e83404cb21da62090e46aefb7e227260c064948fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljilba.ize
Filesize
185KB

MD5
9e9e2574d508f0b065ce631116acb491

SHA1
137d9d3b0ce32f643f8f3e9634d256d23d16e5cd

SHA256
fd536d04e6b8da9b8b52e50efaefe6aa430ab65dfb44f33c12a7c4f4097af822

SHA512
5bdcaedcb9681a910ef43cf2ba90f5322c2c5d81cd2f48b39d16206c171281267af2c180f0948ddcae5158cf00a3cb7f61badae8518ba4df61a8e48274f48f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
C:\Users\Public\vbc.exe
Filesize
225KB

MD5
f0a448d757645c4c8159d946be6cd741

SHA1
b91620ad9a0f0363bc2c1c853af4012966491706

SHA256
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

SHA512
0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

Download Submit
C:\Users\Public\vbc.exe
Filesize
225KB

MD5
f0a448d757645c4c8159d946be6cd741

SHA1
b91620ad9a0f0363bc2c1c853af4012966491706

SHA256
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

SHA512
0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
\Users\Public\vbc.exe
Filesize
225KB

MD5
f0a448d757645c4c8159d946be6cd741

SHA1
b91620ad9a0f0363bc2c1c853af4012966491706

SHA256
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

SHA512
0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

Download Submit
\Users\Public\vbc.exe
Filesize
225KB

MD5
f0a448d757645c4c8159d946be6cd741

SHA1
b91620ad9a0f0363bc2c1c853af4012966491706

SHA256
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

SHA512
0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

Download Submit
\Users\Public\vbc.exe
Filesize
225KB

MD5
f0a448d757645c4c8159d946be6cd741

SHA1
b91620ad9a0f0363bc2c1c853af4012966491706

SHA256
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

SHA512
0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

Download Submit
memory/932-89-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/932-90-0x0000000001DA0000-0x0000000001E2F000-memory.dmp

Filesize
572KB

Download
memory/932-91-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/932-88-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/932-87-0x0000000000980000-0x0000000000998000-memory.dmp

Filesize
96KB

Download
memory/932-82-0x0000000000000000-mapping.dmp

Download
memory/1220-93-0x0000000004A40000-0x0000000004AD7000-memory.dmp

Filesize
604KB

Download
memory/1220-97-0x000007FEFB220000-0x000007FEFB363000-memory.dmp

Filesize
1.3MB

Download
memory/1220-92-0x0000000004A40000-0x0000000004AD7000-memory.dmp

Filesize
604KB

Download
memory/1220-98-0x000007FEE0170000-0x000007FEE017A000-memory.dmp

Filesize
40KB

Download
memory/1220-81-0x0000000004C40000-0x0000000004D06000-memory.dmp

Filesize
792KB

Download
memory/1324-68-0x0000000000000000-mapping.dmp

Download
memory/1356-63-0x0000000000000000-mapping.dmp

Download
memory/1720-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-55-0x0000000071801000-0x0000000071803000-memory.dmp

Filesize
8KB

Download
memory/1720-86-0x00000000727ED000-0x00000000727F8000-memory.dmp

Filesize
44KB

Download
memory/1720-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-54-0x000000002FEA1000-0x000000002FEA4000-memory.dmp

Filesize
12KB

Download
memory/1720-96-0x00000000727ED000-0x00000000727F8000-memory.dmp

Filesize
44KB

Download
memory/1720-57-0x00000000727ED000-0x00000000727F8000-memory.dmp

Filesize
44KB

Download
memory/1720-58-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1944-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-84-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1944-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-79-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1944-80-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1944-78-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1944-75-0x00000000004012B0-mapping.dmp

Download