formbook | 6b0f67636b41da6d6f69d57dd2b421c140ee5090c168eb09b08357c00eb1963d

Resubmissions

06-12-2022 13:34

221206-qt7mwscc89 10

06-12-2022 13:32

221206-qs85bsfb5t 10

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000003_20221206.rtf
Size

3KB
MD5

feb31139c26b083f45bac3fedd811e2d
SHA1

8c2b7d9d9a953a9f944c141498724da53624a12c
SHA256

6b0f67636b41da6d6f69d57dd2b421c140ee5090c168eb09b08357c00eb1963d
SHA512

487bc1ff45089071a6cdfbe9c6637285d7549fc4c011e8ec8fc4827609c531219d3c53b5516e03a48d07b623e7f904fc3f43c48c59a941a31918c5229996eba7

Score

10^/10

formbook h3ha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1556-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1684-86-0x00000000000F0000-0x000000000011F000-memory.dmp	formbook
behavioral1/memory/1684-91-0x00000000000F0000-0x000000000011F000-memory.dmp	formbook

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXEmsiexec.exe

flow pid process

4 980 EQNEDT32.EXE
12 1684 msiexec.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

word.exezgovbtz.exezgovbtz.exe

pid process

1192 word.exe
1728 zgovbtz.exe
1556 zgovbtz.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEword.exezgovbtz.exe

pid process

980 EQNEDT32.EXE
1192 word.exe
1728 zgovbtz.exe

flow	pid	process
4	980	EQNEDT32.EXE
12	1684	msiexec.exe

pid	process
1192	word.exe
1728	zgovbtz.exe
1556	zgovbtz.exe

pid	process
980	EQNEDT32.EXE
1192	word.exe
1728	zgovbtz.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zgovbtz.exezgovbtz.exemsiexec.exe

description	pid	process	target process
PID 1728 set thread context of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1556 set thread context of 1268	1556	zgovbtz.exe	Explorer.EXE
PID 1684 set thread context of 1268	1684	msiexec.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\word.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\word.exe	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

980 EQNEDT32.EXE

pid	process
980	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1452 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

zgovbtz.exemsiexec.exe

pid	process
1556	zgovbtz.exe
1556	zgovbtz.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

zgovbtz.exezgovbtz.exemsiexec.exe

pid process

1728 zgovbtz.exe
1556 zgovbtz.exe
1556 zgovbtz.exe
1556 zgovbtz.exe
1684 msiexec.exe
1684 msiexec.exe

pid	process
1728	zgovbtz.exe
1556	zgovbtz.exe
1556	zgovbtz.exe
1556	zgovbtz.exe
1684	msiexec.exe
1684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

zgovbtz.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1556	zgovbtz.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

WINWORD.EXEExplorer.EXE

pid	process
1452	WINWORD.EXE
1452	WINWORD.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1452 WINWORD.EXE
1452 WINWORD.EXE

Suspicious use of UnmapMainImage 9 IoCs

Processes:

Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEword.exezgovbtz.exeExplorer.EXEmsiexec.exeWINWORD.EXE

description	pid	process	target process
PID 980 wrote to memory of 1192	980	EQNEDT32.EXE	word.exe
PID 980 wrote to memory of 1192	980	EQNEDT32.EXE	word.exe
PID 980 wrote to memory of 1192	980	EQNEDT32.EXE	word.exe
PID 980 wrote to memory of 1192	980	EQNEDT32.EXE	word.exe
PID 1192 wrote to memory of 1728	1192	word.exe	zgovbtz.exe
PID 1192 wrote to memory of 1728	1192	word.exe	zgovbtz.exe
PID 1192 wrote to memory of 1728	1192	word.exe	zgovbtz.exe
PID 1192 wrote to memory of 1728	1192	word.exe	zgovbtz.exe
PID 1728 wrote to memory of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1728 wrote to memory of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1728 wrote to memory of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1728 wrote to memory of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1728 wrote to memory of 1556	1728	zgovbtz.exe	zgovbtz.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1268 wrote to memory of 1684	1268	Explorer.EXE	msiexec.exe
PID 1684 wrote to memory of 1060	1684	msiexec.exe	cmd.exe
PID 1684 wrote to memory of 1060	1684	msiexec.exe	cmd.exe
PID 1684 wrote to memory of 1060	1684	msiexec.exe	cmd.exe
PID 1684 wrote to memory of 1060	1684	msiexec.exe	cmd.exe
PID 1452 wrote to memory of 1960	1452	WINWORD.EXE	splwow64.exe
PID 1452 wrote to memory of 1960	1452	WINWORD.EXE	splwow64.exe
PID 1452 wrote to memory of 1960	1452	WINWORD.EXE	splwow64.exe
PID 1452 wrote to memory of 1960	1452	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\000003_20221206.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1960

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"
3⤵
PID:1060

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Roaming\word.exe
C:\Users\Admin\AppData\Roaming\word.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe" C:\Users\Admin\AppData\Local\Temp\ahbdus.k
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahbdus.k
Filesize
5KB

MD5
533b564dd4c64c19e3b7d860f03801a6

SHA1
745a017c6f1e58a6b7bea787eb3a20597c17fb62

SHA256
25a5b8a00567719024844286427f3fd986a6f72b4ed826bbae58d882c20fd3cd

SHA512
e1450a5ea0156db8cb02f359964ba1d279fcd0b8e60c30b8b39b51771e7da0b823a39fa2edcd184bc00152612fa1ae50e1304e7a8fb337102f33455df6372ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnfoo.p
Filesize
185KB

MD5
0fd8fad06f5a97c481fbbb60828d686e

SHA1
eab488ae696a31dbd02c959662e356612d5c4c40

SHA256
e3a937e8170b273687231c76c7539d1282a6c904df8b44aa249fc52dd09ab518

SHA512
b1151c9a8ce0b516879afc6838cb453d68d820ec4743b731974291d402fa0f0416b515b489ee7758de6c975402bd78bb016e9d8342a849157cce4ebc904de7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
Filesize
414KB

MD5
a0c275ebd1005a313b20dd27ea739dcb

SHA1
4c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9

SHA256
3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

SHA512
19746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
Filesize
414KB

MD5
a0c275ebd1005a313b20dd27ea739dcb

SHA1
4c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9

SHA256
3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

SHA512
19746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
414KB

MD5
a0c275ebd1005a313b20dd27ea739dcb

SHA1
4c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9

SHA256
3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

SHA512
19746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b

Download Submit
memory/1060-83-0x0000000000000000-mapping.dmp

Download
memory/1192-62-0x0000000000000000-mapping.dmp

Download
memory/1268-94-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/1268-90-0x0000000004AB0000-0x0000000004C13000-memory.dmp

Filesize
1.4MB

Download
memory/1268-89-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/1268-80-0x0000000004AB0000-0x0000000004C13000-memory.dmp

Filesize
1.4MB

Download
memory/1452-58-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-57-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1452-60-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/1452-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1452-55-0x0000000070281000-0x0000000070283000-memory.dmp

Filesize
8KB

Download
memory/1452-76-0x000000006B911000-0x000000006B913000-memory.dmp

Filesize
8KB

Download
memory/1452-54-0x0000000072801000-0x0000000072804000-memory.dmp

Filesize
12KB

Download
memory/1452-84-0x000000006B451000-0x000000006B453000-memory.dmp

Filesize
8KB

Download
memory/1556-78-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download
memory/1556-79-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1556-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-74-0x000000000041F0D0-mapping.dmp

Download
memory/1684-81-0x0000000000000000-mapping.dmp

Download
memory/1684-85-0x0000000000A80000-0x0000000000A94000-memory.dmp

Filesize
80KB

Download
memory/1684-86-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/1684-87-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/1684-88-0x0000000001EF0000-0x0000000001F83000-memory.dmp

Filesize
588KB

Download
memory/1684-91-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/1728-67-0x0000000000000000-mapping.dmp

Download
memory/1960-92-0x0000000000000000-mapping.dmp

Download
memory/1960-93-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download