a57e3a2190a79be6fa4a61e7128bbeb8965b3a49ffdfc12c57b13533bb335517

Analysis

max time kernel
102s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ba454f4baf1370b1891916313e0fe539a16bf2ef9eedc7982c758e2402ebbb.rtf
Size

31KB
MD5

21b0f108a099754e1701da5a18f13ced
SHA1

7400bcfa90fe05a43f0d28d49e022187ba572734
SHA256

40ba454f4baf1370b1891916313e0fe539a16bf2ef9eedc7982c758e2402ebbb
SHA512

4cdb670172699fe6fc225365b1787ceac17f0a07c6d253821daa8bcd6b316c00a878eee7e76bf365acc8e13d7006336358836370980c13cb4c42d07164174906
SSDEEP

768:+Fx0XaIsnPRIa4fwJMKiUj+nPuA7JrPY6xKbRAvMBTEgU54L:+f0Xvx3EMKiU6nGA75QbyvMB/5

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	668	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1280	ohoyecnyru65.exe
1100	fzovcssdyv.exe
1960	fzovcssdyv.exe

Loads dropped DLL 4 IoCs

pid	Process
668	EQNEDT32.EXE
1280	ohoyecnyru65.exe
1280	ohoyecnyru65.exe
1100	fzovcssdyv.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzovcssdyv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzovcssdyv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzovcssdyv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 1960	1100	fzovcssdyv.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
668	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1648	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1100	fzovcssdyv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	fzovcssdyv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1648	WINWORD.EXE
1648	WINWORD.EXE
1960	fzovcssdyv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1280	668	EQNEDT32.EXE	31
PID 668 wrote to memory of 1280	668	EQNEDT32.EXE	31
PID 668 wrote to memory of 1280	668	EQNEDT32.EXE	31
PID 668 wrote to memory of 1280	668	EQNEDT32.EXE	31
PID 1280 wrote to memory of 1100	1280	ohoyecnyru65.exe	32
PID 1280 wrote to memory of 1100	1280	ohoyecnyru65.exe	32
PID 1280 wrote to memory of 1100	1280	ohoyecnyru65.exe	32
PID 1280 wrote to memory of 1100	1280	ohoyecnyru65.exe	32
PID 1100 wrote to memory of 1960	1100	fzovcssdyv.exe	35
PID 1100 wrote to memory of 1960	1100	fzovcssdyv.exe	35
PID 1100 wrote to memory of 1960	1100	fzovcssdyv.exe	35
PID 1100 wrote to memory of 1960	1100	fzovcssdyv.exe	35
PID 1100 wrote to memory of 1960	1100	fzovcssdyv.exe	35
PID 1648 wrote to memory of 1640	1648	WINWORD.EXE	37
PID 1648 wrote to memory of 1640	1648	WINWORD.EXE	37
PID 1648 wrote to memory of 1640	1648	WINWORD.EXE	37
PID 1648 wrote to memory of 1640	1648	WINWORD.EXE	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzovcssdyv.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzovcssdyv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\40ba454f4baf1370b1891916313e0fe539a16bf2ef9eedc7982c758e2402ebbb.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1640

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Roaming\ohoyecnyru65.exe
  "C:\Users\Admin\AppData\Roaming\ohoyecnyru65.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe
    "C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe" C:\Users\Admin\AppData\Local\Temp\lzwbumz.xrk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe
      "C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzwbumz.xrk

Filesize
5KB

MD5
0fd7afd3bfe7171d81a1d47d842bb9ce

SHA1
f0ba1898722f8154a98a0c999c58f016b2388de6

SHA256
5a5978044e5d568f13456d71c4f3e85adc244b34d2a0543026fac4a8e06c30ee

SHA512
13dfbd66e6f919384259bc78faeb7b5c19305e60bbd185390371b163e227b71f1c1ac595b1eb21af8eeffbc9c9a529c16c1028e20d7f97a9db2a82388efec805

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnblnrrru.qwx

Filesize
261KB

MD5
3b12a5756719621ddf8fbef925360719

SHA1
e13cd4d2459b3a6be7d62ba1176acc0e418bedac

SHA256
eadfcff1e10278e4f12070e38ada28b37aaef9f50a576bf115284234d31e38e3

SHA512
185206f9bba89ad75c266f1ec2f081065d4dc337d3b59c93539efafe1868c327337567c536f425540ceb5cf8fdb4b4d029b831d333e5357abc12152000fa56c0

Download Submit
C:\Users\Admin\AppData\Roaming\ohoyecnyru65.exe

Filesize
463KB

MD5
538b445733e89bf3eaaaf93097070ce9

SHA1
ec8aa8460d01eb1f3371833cda1714562124069d

SHA256
aec1403ea61620ef0c9d054282c12023fd5f09928fa3f77741219db71af39f92

SHA512
811b27059cca34805b1c0094f52dc99fa4a0e1bd7ed21b20a32df40bfb478f8b95bfaadf676382ed1daf3d9930c44947b7005b9c757b4b4855a15f409334d780

Download Submit
C:\Users\Admin\AppData\Roaming\ohoyecnyru65.exe

Filesize
463KB

MD5
538b445733e89bf3eaaaf93097070ce9

SHA1
ec8aa8460d01eb1f3371833cda1714562124069d

SHA256
aec1403ea61620ef0c9d054282c12023fd5f09928fa3f77741219db71af39f92

SHA512
811b27059cca34805b1c0094f52dc99fa4a0e1bd7ed21b20a32df40bfb478f8b95bfaadf676382ed1daf3d9930c44947b7005b9c757b4b4855a15f409334d780

Download Submit
\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
\Users\Admin\AppData\Local\Temp\fzovcssdyv.exe

Filesize
84KB

MD5
c000be4b3261884e9f41cfc4b638a03c

SHA1
c90cd3029a2544ed6b4a66ebfaf22486c2f09acd

SHA256
b870a240d8423936195a3e9648e646ef90611e80ef5efc1e95daae119af35115

SHA512
57671dee13502cda42f890ff8e420b5486af94895e1fbd25147d30a1b3d87e3c37b8bb637b1778d267c7da679c30a4d9d4c6bc6fb1653e7063f03abfef7c7833

Download Submit
\Users\Admin\AppData\Roaming\ohoyecnyru65.exe

Filesize
463KB

MD5
538b445733e89bf3eaaaf93097070ce9

SHA1
ec8aa8460d01eb1f3371833cda1714562124069d

SHA256
aec1403ea61620ef0c9d054282c12023fd5f09928fa3f77741219db71af39f92

SHA512
811b27059cca34805b1c0094f52dc99fa4a0e1bd7ed21b20a32df40bfb478f8b95bfaadf676382ed1daf3d9930c44947b7005b9c757b4b4855a15f409334d780

Download Submit
memory/1640-80-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1648-55-0x000000006FBB1000-0x000000006FBB3000-memory.dmp

Filesize
8KB

Download
memory/1648-54-0x0000000072131000-0x0000000072134000-memory.dmp

Filesize
12KB

Download
memory/1648-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-78-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1648-57-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1648-58-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1648-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-82-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1960-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-77-0x0000000002000000-0x0000000002030000-memory.dmp

Filesize
192KB

Download