formbook | 4659186cccfb9bb9cf85deb8456bd9dcc4a55a5efb81d5498403c795eae490f9

Resubmissions

11/01/2023, 03:20

230111-dvwksseb6y 10

10/01/2023, 18:55

230110-xkrnmshb25 10

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 90809.rtf
Size

32KB
MD5

ef93fa6845a7f03d2809cf03a14e0c39
SHA1

d2e4d2a05c854705fa43d40b5db4ff414b28a586
SHA256

4659186cccfb9bb9cf85deb8456bd9dcc4a55a5efb81d5498403c795eae490f9
SHA512

d63b6f0180fc0b93eff8ff67049d7bb4466cd30e78f85ba8542d3d02662d04d41d2d6a23c22d0e33fb2a808ebc36cab2fced2e698c136da13b801d6209277e00
SSDEEP

768:bFx0XaIsnPRIa4fwJMZasp60BjDpA7V/HUMpqX6ZivAsrtAzckNdvG:bf0Xvx3EMZaCHB3pqHUMEq4vAzckNVG

Score

10^/10

formbook pe63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pe63

Decoy

iparkshonan.com

cahoonset.com

chuliji.com

judiangka.boats

casadecanyonlane.com

hukaol.xyz

websiteclonescripts.com

jjlpoi.com

e-insurance.africa

buketubalonu.com

foruminati.se

12rivalo.xyz

bblifebizsolutions.com

larimarfitness.com

conectado.xyz

511271.com

shpte-energy.net

thewayit.net

jpdentistry.co.uk

aisini5201314.love

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/268-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/696-84-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/696-87-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1984	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
884	binkellyncru65.exe
1048	ospmnvzt.exe
268	ospmnvzt.exe

Loads dropped DLL 4 IoCs

pid	Process
1984	EQNEDT32.EXE
884	binkellyncru65.exe
884	binkellyncru65.exe
1048	ospmnvzt.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 268	1048	ospmnvzt.exe	34
PID 268 set thread context of 1420	268	ospmnvzt.exe	15
PID 696 set thread context of 1420	696	rundll32.exe	15

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1984	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1708	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
268	ospmnvzt.exe
268	ospmnvzt.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe
696	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1048	ospmnvzt.exe
268	ospmnvzt.exe
268	ospmnvzt.exe
268	ospmnvzt.exe
696	rundll32.exe
696	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	ospmnvzt.exe
Token: SeDebugPrivilege	696	rundll32.exe
Token: SeShutdownPrivilege	1420	Explorer.EXE
Token: SeShutdownPrivilege	1420	Explorer.EXE
Token: SeShutdownPrivilege	1420	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1708	WINWORD.EXE
1708	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 884	1984	EQNEDT32.EXE	30
PID 1984 wrote to memory of 884	1984	EQNEDT32.EXE	30
PID 1984 wrote to memory of 884	1984	EQNEDT32.EXE	30
PID 1984 wrote to memory of 884	1984	EQNEDT32.EXE	30
PID 884 wrote to memory of 1048	884	binkellyncru65.exe	31
PID 884 wrote to memory of 1048	884	binkellyncru65.exe	31
PID 884 wrote to memory of 1048	884	binkellyncru65.exe	31
PID 884 wrote to memory of 1048	884	binkellyncru65.exe	31
PID 1048 wrote to memory of 268	1048	ospmnvzt.exe	34
PID 1048 wrote to memory of 268	1048	ospmnvzt.exe	34
PID 1048 wrote to memory of 268	1048	ospmnvzt.exe	34
PID 1048 wrote to memory of 268	1048	ospmnvzt.exe	34
PID 1048 wrote to memory of 268	1048	ospmnvzt.exe	34
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 1420 wrote to memory of 696	1420	Explorer.EXE	35
PID 696 wrote to memory of 1020	696	rundll32.exe	36
PID 696 wrote to memory of 1020	696	rundll32.exe	36
PID 696 wrote to memory of 1020	696	rundll32.exe	36
PID 696 wrote to memory of 1020	696	rundll32.exe	36
PID 1708 wrote to memory of 916	1708	WINWORD.EXE	38
PID 1708 wrote to memory of 916	1708	WINWORD.EXE	38
PID 1708 wrote to memory of 916	1708	WINWORD.EXE	38
PID 1708 wrote to memory of 916	1708	WINWORD.EXE	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 90809.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:916
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe"
    3⤵
    PID:1020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Roaming\binkellyncru65.exe
  "C:\Users\Admin\AppData\Roaming\binkellyncru65.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe
    "C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe" C:\Users\Admin\AppData\Local\Temp\jhmocq.jx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe
      "C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jhmocq.jx

Filesize
5KB

MD5
f0d6ce29c7d4a2b7f3a7ff69b6cf5353

SHA1
2a895a4bd1bcf5a22c38d61779f9057766e52c40

SHA256
f4d49ec517044d0d5ec1a29436be9c69c250acf4be1e5ac7af43791a6ef271f3

SHA512
f00281d0a800dee3156fc8bfee556293524a2238b503142d52db8dd3e39aa640f549c7df703aef6e1b76ca852dee922b6e71338d27e253e5d27e203a59406a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oexfqcgd.z

Filesize
205KB

MD5
a7cedf82866ca1e803f6e469966409a7

SHA1
b16b972065225947fcfec017c3ce28eb65883b1f

SHA256
7d95851fcc91a44755f6a63b90b6b2c5ea4c6d437f7e05dd73d571531fbb6929

SHA512
63fa6d0c1bfc88e428d44193fe7d6a7cec3619f6d804c2bc9dd93982f4673cf46b441460cbb9191f93d82b66956c12e31ad72c561173d7ebbdad95ecef9754a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
C:\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
C:\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
444KB

MD5
5868b13243f0fbbdbb63957ff8f720e7

SHA1
9606a69b84265c795dd87bf76287d6421a700de7

SHA256
f7bb2d35300a95c164089832c13410023d2293390130109ae3693fd0d05a3df8

SHA512
b728580d9e1e6c188f034ca3f5a4004cad9c07721257169b3d8b6087f45aebe09cdcfb635990cf86c059bcd2b81e1aa1a980a25354117f0279884581e87b1446

Download Submit
C:\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
444KB

MD5
5868b13243f0fbbdbb63957ff8f720e7

SHA1
9606a69b84265c795dd87bf76287d6421a700de7

SHA256
f7bb2d35300a95c164089832c13410023d2293390130109ae3693fd0d05a3df8

SHA512
b728580d9e1e6c188f034ca3f5a4004cad9c07721257169b3d8b6087f45aebe09cdcfb635990cf86c059bcd2b81e1aa1a980a25354117f0279884581e87b1446

Download Submit
\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
\Users\Admin\AppData\Local\Temp\ospmnvzt.exe

Filesize
84KB

MD5
77e08260b20d281991363ada629a346c

SHA1
567caa29d7ed00cc68dd9e0ffedc01bfe94d8036

SHA256
7c99378533b2d867be3c7a441ec63437a2af1f29ec52b5cfd02b387176166c41

SHA512
fa51ad302c0cc72529b1a873e776ac01483379648c6c531909ed288a0bf8deac1048685d49868bb481c0187ecc434b2f2e3b81073198ff674bb2089be3c37684

Download Submit
\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
444KB

MD5
5868b13243f0fbbdbb63957ff8f720e7

SHA1
9606a69b84265c795dd87bf76287d6421a700de7

SHA256
f7bb2d35300a95c164089832c13410023d2293390130109ae3693fd0d05a3df8

SHA512
b728580d9e1e6c188f034ca3f5a4004cad9c07721257169b3d8b6087f45aebe09cdcfb635990cf86c059bcd2b81e1aa1a980a25354117f0279884581e87b1446

Download Submit
memory/268-76-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/268-77-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/268-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-86-0x0000000000920000-0x00000000009B4000-memory.dmp

Filesize
592KB

Download
memory/696-85-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/696-87-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/696-83-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/696-84-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/916-90-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1420-78-0x00000000070F0000-0x000000000722C000-memory.dmp

Filesize
1.2MB

Download
memory/1420-89-0x0000000007ED0000-0x0000000008025000-memory.dmp

Filesize
1.3MB

Download
memory/1420-91-0x0000000007ED0000-0x0000000008025000-memory.dmp

Filesize
1.3MB

Download
memory/1708-82-0x000000007113D000-0x0000000071148000-memory.dmp

Filesize
44KB

Download
memory/1708-55-0x0000000070151000-0x0000000070153000-memory.dmp

Filesize
8KB

Download
memory/1708-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-57-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1708-58-0x000000007113D000-0x0000000071148000-memory.dmp

Filesize
44KB

Download
memory/1708-54-0x00000000726D1000-0x00000000726D4000-memory.dmp

Filesize
12KB

Download
memory/1708-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-93-0x000000007113D000-0x0000000071148000-memory.dmp

Filesize
44KB

Download