Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
000003_20221206.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
000003_20221206.rtf
Resource
win10v2004-20220901-en
General
-
Target
000003_20221206.rtf
-
Size
3KB
-
MD5
feb31139c26b083f45bac3fedd811e2d
-
SHA1
8c2b7d9d9a953a9f944c141498724da53624a12c
-
SHA256
6b0f67636b41da6d6f69d57dd2b421c140ee5090c168eb09b08357c00eb1963d
-
SHA512
487bc1ff45089071a6cdfbe9c6637285d7549fc4c011e8ec8fc4827609c531219d3c53b5516e03a48d07b623e7f904fc3f43c48c59a941a31918c5229996eba7
Malware Config
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-77-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1684-86-0x00000000000F0000-0x000000000011F000-memory.dmp formbook behavioral1/memory/1684-91-0x00000000000F0000-0x000000000011F000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEmsiexec.exeflow pid process 4 980 EQNEDT32.EXE 12 1684 msiexec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
word.exezgovbtz.exezgovbtz.exepid process 1192 word.exe 1728 zgovbtz.exe 1556 zgovbtz.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEword.exezgovbtz.exepid process 980 EQNEDT32.EXE 1192 word.exe 1728 zgovbtz.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zgovbtz.exezgovbtz.exemsiexec.exedescription pid process target process PID 1728 set thread context of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1556 set thread context of 1268 1556 zgovbtz.exe Explorer.EXE PID 1684 set thread context of 1268 1684 msiexec.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\word.exe nsis_installer_1 \Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\word.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
zgovbtz.exemsiexec.exepid process 1556 zgovbtz.exe 1556 zgovbtz.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe 1684 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
zgovbtz.exezgovbtz.exemsiexec.exepid process 1728 zgovbtz.exe 1556 zgovbtz.exe 1556 zgovbtz.exe 1556 zgovbtz.exe 1684 msiexec.exe 1684 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
zgovbtz.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1556 zgovbtz.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeDebugPrivilege 1684 msiexec.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
WINWORD.EXEExplorer.EXEpid process 1452 WINWORD.EXE 1452 WINWORD.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1452 WINWORD.EXE 1452 WINWORD.EXE -
Suspicious use of UnmapMainImage 9 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEword.exezgovbtz.exeExplorer.EXEmsiexec.exeWINWORD.EXEdescription pid process target process PID 980 wrote to memory of 1192 980 EQNEDT32.EXE word.exe PID 980 wrote to memory of 1192 980 EQNEDT32.EXE word.exe PID 980 wrote to memory of 1192 980 EQNEDT32.EXE word.exe PID 980 wrote to memory of 1192 980 EQNEDT32.EXE word.exe PID 1192 wrote to memory of 1728 1192 word.exe zgovbtz.exe PID 1192 wrote to memory of 1728 1192 word.exe zgovbtz.exe PID 1192 wrote to memory of 1728 1192 word.exe zgovbtz.exe PID 1192 wrote to memory of 1728 1192 word.exe zgovbtz.exe PID 1728 wrote to memory of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1728 wrote to memory of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1728 wrote to memory of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1728 wrote to memory of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1728 wrote to memory of 1556 1728 zgovbtz.exe zgovbtz.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1268 wrote to memory of 1684 1268 Explorer.EXE msiexec.exe PID 1684 wrote to memory of 1060 1684 msiexec.exe cmd.exe PID 1684 wrote to memory of 1060 1684 msiexec.exe cmd.exe PID 1684 wrote to memory of 1060 1684 msiexec.exe cmd.exe PID 1684 wrote to memory of 1060 1684 msiexec.exe cmd.exe PID 1452 wrote to memory of 1960 1452 WINWORD.EXE splwow64.exe PID 1452 wrote to memory of 1960 1452 WINWORD.EXE splwow64.exe PID 1452 wrote to memory of 1960 1452 WINWORD.EXE splwow64.exe PID 1452 wrote to memory of 1960 1452 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\000003_20221206.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe" C:\Users\Admin\AppData\Local\Temp\ahbdus.k3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahbdus.kFilesize
5KB
MD5533b564dd4c64c19e3b7d860f03801a6
SHA1745a017c6f1e58a6b7bea787eb3a20597c17fb62
SHA25625a5b8a00567719024844286427f3fd986a6f72b4ed826bbae58d882c20fd3cd
SHA512e1450a5ea0156db8cb02f359964ba1d279fcd0b8e60c30b8b39b51771e7da0b823a39fa2edcd184bc00152612fa1ae50e1304e7a8fb337102f33455df6372ddf
-
C:\Users\Admin\AppData\Local\Temp\nnfoo.pFilesize
185KB
MD50fd8fad06f5a97c481fbbb60828d686e
SHA1eab488ae696a31dbd02c959662e356612d5c4c40
SHA256e3a937e8170b273687231c76c7539d1282a6c904df8b44aa249fc52dd09ab518
SHA512b1151c9a8ce0b516879afc6838cb453d68d820ec4743b731974291d402fa0f0416b515b489ee7758de6c975402bd78bb016e9d8342a849157cce4ebc904de7f4
-
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exeFilesize
13KB
MD5f15812c468166ad85fda4223195da140
SHA14ed0da8b9e738f3d08a0f00270e92a0539e32136
SHA256ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04
SHA512bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa
-
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exeFilesize
13KB
MD5f15812c468166ad85fda4223195da140
SHA14ed0da8b9e738f3d08a0f00270e92a0539e32136
SHA256ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04
SHA512bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa
-
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exeFilesize
13KB
MD5f15812c468166ad85fda4223195da140
SHA14ed0da8b9e738f3d08a0f00270e92a0539e32136
SHA256ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04
SHA512bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
414KB
MD5a0c275ebd1005a313b20dd27ea739dcb
SHA14c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9
SHA2563077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d
SHA51219746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
414KB
MD5a0c275ebd1005a313b20dd27ea739dcb
SHA14c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9
SHA2563077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d
SHA51219746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b
-
\Users\Admin\AppData\Local\Temp\zgovbtz.exeFilesize
13KB
MD5f15812c468166ad85fda4223195da140
SHA14ed0da8b9e738f3d08a0f00270e92a0539e32136
SHA256ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04
SHA512bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa
-
\Users\Admin\AppData\Local\Temp\zgovbtz.exeFilesize
13KB
MD5f15812c468166ad85fda4223195da140
SHA14ed0da8b9e738f3d08a0f00270e92a0539e32136
SHA256ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04
SHA512bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa
-
\Users\Admin\AppData\Roaming\word.exeFilesize
414KB
MD5a0c275ebd1005a313b20dd27ea739dcb
SHA14c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9
SHA2563077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d
SHA51219746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b
-
memory/1060-83-0x0000000000000000-mapping.dmp
-
memory/1192-62-0x0000000000000000-mapping.dmp
-
memory/1268-94-0x0000000004D30000-0x0000000004E3A000-memory.dmpFilesize
1.0MB
-
memory/1268-90-0x0000000004AB0000-0x0000000004C13000-memory.dmpFilesize
1.4MB
-
memory/1268-89-0x0000000004D30000-0x0000000004E3A000-memory.dmpFilesize
1.0MB
-
memory/1268-80-0x0000000004AB0000-0x0000000004C13000-memory.dmpFilesize
1.4MB
-
memory/1452-58-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1452-57-0x000000007126D000-0x0000000071278000-memory.dmpFilesize
44KB
-
memory/1452-60-0x000000007126D000-0x0000000071278000-memory.dmpFilesize
44KB
-
memory/1452-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1452-55-0x0000000070281000-0x0000000070283000-memory.dmpFilesize
8KB
-
memory/1452-76-0x000000006B911000-0x000000006B913000-memory.dmpFilesize
8KB
-
memory/1452-54-0x0000000072801000-0x0000000072804000-memory.dmpFilesize
12KB
-
memory/1452-84-0x000000006B451000-0x000000006B453000-memory.dmpFilesize
8KB
-
memory/1556-78-0x0000000000C00000-0x0000000000F03000-memory.dmpFilesize
3.0MB
-
memory/1556-79-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1556-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1556-74-0x000000000041F0D0-mapping.dmp
-
memory/1684-81-0x0000000000000000-mapping.dmp
-
memory/1684-85-0x0000000000A80000-0x0000000000A94000-memory.dmpFilesize
80KB
-
memory/1684-86-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/1684-87-0x0000000002230000-0x0000000002533000-memory.dmpFilesize
3.0MB
-
memory/1684-88-0x0000000001EF0000-0x0000000001F83000-memory.dmpFilesize
588KB
-
memory/1684-91-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/1728-67-0x0000000000000000-mapping.dmp
-
memory/1960-92-0x0000000000000000-mapping.dmp
-
memory/1960-93-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB