formbook | 4659186cccfb9bb9cf85deb8456bd9dcc4a55a5efb81d5498403c795eae490f9

Resubmissions

11/01/2023, 03:20

230111-dvwksseb6y 10

10/01/2023, 18:55

230110-xkrnmshb25 10

Analysis

max time kernel
210s
max time network
210s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/01/2023, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 90809.rtf
Size

32KB
MD5

ef93fa6845a7f03d2809cf03a14e0c39
SHA1

d2e4d2a05c854705fa43d40b5db4ff414b28a586
SHA256

4659186cccfb9bb9cf85deb8456bd9dcc4a55a5efb81d5498403c795eae490f9
SHA512

d63b6f0180fc0b93eff8ff67049d7bb4466cd30e78f85ba8542d3d02662d04d41d2d6a23c22d0e33fb2a808ebc36cab2fced2e698c136da13b801d6209277e00
SSDEEP

768:bFx0XaIsnPRIa4fwJMZasp60BjDpA7V/HUMpqX6ZivAsrtAzckNdvG:bf0Xvx3EMZaCHB3pqHUMEq4vAzckNVG

Score

10^/10

formbook pe63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pe63

Decoy

iparkshonan.com

cahoonset.com

chuliji.com

judiangka.boats

casadecanyonlane.com

hukaol.xyz

websiteclonescripts.com

jjlpoi.com

e-insurance.africa

buketubalonu.com

foruminati.se

12rivalo.xyz

bblifebizsolutions.com

larimarfitness.com

conectado.xyz

511271.com

shpte-energy.net

thewayit.net

jpdentistry.co.uk

aisini5201314.love

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/956-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1568-83-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1568-89-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	624	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1592	binkellyncru65.exe
1852	eimznp.exe
956	eimznp.exe

Loads dropped DLL 4 IoCs

pid	Process
624	EQNEDT32.EXE
1592	binkellyncru65.exe
1592	binkellyncru65.exe
1852	eimznp.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 956	1852	eimznp.exe	35
PID 956 set thread context of 1432	956	eimznp.exe	16
PID 1568 set thread context of 1432	1568	msiexec.exe	16

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
624	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1728	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
956	eimznp.exe
956	eimznp.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe
1568	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1852	eimznp.exe
956	eimznp.exe
956	eimznp.exe
956	eimznp.exe
1568	msiexec.exe
1568	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	eimznp.exe
Token: SeShutdownPrivilege	1432	Explorer.EXE
Token: SeDebugPrivilege	1568	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1432	Explorer.EXE
1432	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1432	Explorer.EXE
1432	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1728	WINWORD.EXE
1728	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1592	624	EQNEDT32.EXE	31
PID 624 wrote to memory of 1592	624	EQNEDT32.EXE	31
PID 624 wrote to memory of 1592	624	EQNEDT32.EXE	31
PID 624 wrote to memory of 1592	624	EQNEDT32.EXE	31
PID 1592 wrote to memory of 1852	1592	binkellyncru65.exe	32
PID 1592 wrote to memory of 1852	1592	binkellyncru65.exe	32
PID 1592 wrote to memory of 1852	1592	binkellyncru65.exe	32
PID 1592 wrote to memory of 1852	1592	binkellyncru65.exe	32
PID 1852 wrote to memory of 956	1852	eimznp.exe	35
PID 1852 wrote to memory of 956	1852	eimznp.exe	35
PID 1852 wrote to memory of 956	1852	eimznp.exe	35
PID 1852 wrote to memory of 956	1852	eimznp.exe	35
PID 1852 wrote to memory of 956	1852	eimznp.exe	35
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1432 wrote to memory of 1568	1432	Explorer.EXE	39
PID 1568 wrote to memory of 552	1568	msiexec.exe	40
PID 1568 wrote to memory of 552	1568	msiexec.exe	40
PID 1568 wrote to memory of 552	1568	msiexec.exe	40
PID 1568 wrote to memory of 552	1568	msiexec.exe	40
PID 1728 wrote to memory of 1628	1728	WINWORD.EXE	42
PID 1728 wrote to memory of 1628	1728	WINWORD.EXE	42
PID 1728 wrote to memory of 1628	1728	WINWORD.EXE	42
PID 1728 wrote to memory of 1628	1728	WINWORD.EXE	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 90809.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1628
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:928
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1524
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\eimznp.exe"
    3⤵
    PID:552

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Roaming\binkellyncru65.exe
  "C:\Users\Admin\AppData\Roaming\binkellyncru65.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\eimznp.exe
    "C:\Users\Admin\AppData\Local\Temp\eimznp.exe" C:\Users\Admin\AppData\Local\Temp\qskbfjk.aiw
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\eimznp.exe
      "C:\Users\Admin\AppData\Local\Temp\eimznp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhcujxqfmbq.o

Filesize
205KB

MD5
acd78c4caec99e6b79905b54e54a25b9

SHA1
534f7b65471fa70b580c5906fb381e2031fc0a3f

SHA256
21b3b0fbc81a91524a3546efd76b8f9e7087611e14bc86af33e179782fc78232

SHA512
4de557b5009630ededcb413a9fdd73d7e1b39132472cca719bb3c97c7958832e44bfbd7998ac4dfc65b7609c86214534886a34e499f2ea4b8d3e40b6903b54c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskbfjk.aiw

Filesize
5KB

MD5
198031ea6f9a56d93d0215c764de6d2a

SHA1
b8fcfafb8f0ac83e4d2fd8cb58dcb9d5826a23d7

SHA256
8c23ebf16ad3877bc0698f8f7eecc7939dfc070747062270c42df5d03bb3bcd9

SHA512
6d22d878fde3a63c42053924c52595e0a3b6ce93c0685275b5d5e1859779aca655b1558495b0404070794c1b29fbf13395cdb9221c6ed4ac159d28ff00535a32

Download Submit
C:\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
431KB

MD5
b231e7d8369f13df570e824dd65c5e44

SHA1
5fa2fd0746bce832c00c72a8a75d864ad1793b19

SHA256
19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af

SHA512
9daf9c63b00782ff2f9676d6bef5d4694ea1a4480e6a3f8e2dbdd93d5a7ea506c1e222a563c196ddbd74e7b75193f5b67cf93bb26dc16d285dba7b189eb5dde8

Download Submit
C:\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
431KB

MD5
b231e7d8369f13df570e824dd65c5e44

SHA1
5fa2fd0746bce832c00c72a8a75d864ad1793b19

SHA256
19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af

SHA512
9daf9c63b00782ff2f9676d6bef5d4694ea1a4480e6a3f8e2dbdd93d5a7ea506c1e222a563c196ddbd74e7b75193f5b67cf93bb26dc16d285dba7b189eb5dde8

Download Submit
\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
\Users\Admin\AppData\Roaming\binkellyncru65.exe

Filesize
431KB

MD5
b231e7d8369f13df570e824dd65c5e44

SHA1
5fa2fd0746bce832c00c72a8a75d864ad1793b19

SHA256
19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af

SHA512
9daf9c63b00782ff2f9676d6bef5d4694ea1a4480e6a3f8e2dbdd93d5a7ea506c1e222a563c196ddbd74e7b75193f5b67cf93bb26dc16d285dba7b189eb5dde8

Download Submit
memory/956-77-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/956-76-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/956-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-90-0x0000000003A70000-0x0000000003B28000-memory.dmp

Filesize
736KB

Download
memory/1432-78-0x00000000047E0000-0x00000000048A9000-memory.dmp

Filesize
804KB

Download
memory/1432-91-0x0000000003A70000-0x0000000003B28000-memory.dmp

Filesize
736KB

Download
memory/1568-87-0x0000000000A40000-0x0000000000AD4000-memory.dmp

Filesize
592KB

Download
memory/1568-89-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1568-82-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/1568-83-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1568-84-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/1628-88-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1728-54-0x0000000072261000-0x0000000072264000-memory.dmp

Filesize
12KB

Download
memory/1728-85-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1728-55-0x000000006FCE1000-0x000000006FCE3000-memory.dmp

Filesize
8KB

Download
memory/1728-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-57-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1728-58-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download