Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-01-2023 08:07
Static task
static1
Behavioral task
behavioral1
Sample
Sample.docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Sample.docx
Resource
win10v2004-20220812-en
General
-
Target
Sample.docx
-
Size
10KB
-
MD5
884bf256520434bf9bdbd7a760176961
-
SHA1
2c79b5ca06f153b41a93d8ace4a7713d59621d9d
-
SHA256
574fce61f6fcf5e16be3fd8a77a56aeeb4d7a8868e2dccd0225c9c8c426e2913
-
SHA512
8216274591743f8f995cfa39753fb06f656d04fb676cde84d28f722adf3bcbe55330639344a898e37576dc71397b0743ecf83cbdbbc6d1c0a85596ee68bb92bd
-
SSDEEP
192:ScIMmtP8ar5G/bfIdTO3e/YnamWBX8ex6y3slZ:SPXt4ATO9nosMsH
Malware Config
Extracted
formbook
4.1
w12e
poshsalon.co.uk
ideeksha.net
eaglebreaks.com
exileine.me.uk
saveittoday.net
ceon.tech
estateagentswebsitedesign.uk
faropublicidade.com
depression-treatment-83678.com
informationdata16376.com
wirecreations.africa
coolsculpting-pros.life
ethoshabitats.com
amtindividual.com
gotoken.online
cherny-100-imec-msu.ru
historicaarcanum.com
gpsarhealthcare.com
kx1257.com
abdullahbinomar.com
utrem.xyz
khangkiencharcoal.com
fabvance-demos.online
jima68.com
1206b.com
guardianshipattorneyhouston.com
imziii.com
gaya-zohar.com
affluencegroup.net
xn--l3cj0azbal8cf5kobm.net
apogeebk.com
kwaranewsupdate.africa
buatosh.top
thenextlevelup.net
kristianstadspelforening.se
excertesi.com
swcctv.co.uk
actiontoyhouse.com
eisenhowerloan.com
brightupproduce.com
lojaedesign.com
kecheblog.com
vigilant-e.africa
internationaltaekwondo.net
annabenedetto.com
eboomp.pics
groupeverlaine.app
ebwwn.com
grasshopperspirit.online
getsafu.com
car-deals-75816.com
roddgunnstore.online
aiako.pro
homasp.club
bingo1818.xyz
work2050.co.uk
itgroup1.online
beyou-us.com
forthewitches.biz
felue.com
macroapi.net
hsfinancialservice.com
eoresla.club
alloahucondos.com
hkifarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1528-84-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1672-88-0x0000000000070000-0x000000000009F000-memory.dmp formbook behavioral1/memory/1672-90-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1252 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exetfqctjcgqi.exetfqctjcgqi.exepid process 292 vbc.exe 1312 tfqctjcgqi.exe 1528 tfqctjcgqi.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Common\Offline\Files\http://104.168.46.125/fresh/qwsdffhfhcvxcdgdfhfgjfjfgdfdfgxcvcxv.doc WINWORD.EXE -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exetfqctjcgqi.exepid process 1252 EQNEDT32.EXE 292 vbc.exe 1312 tfqctjcgqi.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.execscript.exedescription pid process target process PID 1312 set thread context of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1528 set thread context of 1208 1528 tfqctjcgqi.exe Explorer.EXE PID 1528 set thread context of 1208 1528 tfqctjcgqi.exe Explorer.EXE PID 1672 set thread context of 1208 1672 cscript.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1320 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
tfqctjcgqi.execscript.exepid process 1528 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe 1672 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.execscript.exepid process 1312 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1528 tfqctjcgqi.exe 1672 cscript.exe 1672 cscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
tfqctjcgqi.exeExplorer.EXEcscript.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1528 tfqctjcgqi.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeDebugPrivilege 1672 cscript.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1320 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1320 WINWORD.EXE 1320 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEtfqctjcgqi.exetfqctjcgqi.execscript.exedescription pid process target process PID 1252 wrote to memory of 292 1252 EQNEDT32.EXE vbc.exe PID 1252 wrote to memory of 292 1252 EQNEDT32.EXE vbc.exe PID 1252 wrote to memory of 292 1252 EQNEDT32.EXE vbc.exe PID 1252 wrote to memory of 292 1252 EQNEDT32.EXE vbc.exe PID 292 wrote to memory of 1312 292 vbc.exe tfqctjcgqi.exe PID 292 wrote to memory of 1312 292 vbc.exe tfqctjcgqi.exe PID 292 wrote to memory of 1312 292 vbc.exe tfqctjcgqi.exe PID 292 wrote to memory of 1312 292 vbc.exe tfqctjcgqi.exe PID 1320 wrote to memory of 844 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 844 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 844 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 844 1320 WINWORD.EXE splwow64.exe PID 1312 wrote to memory of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1312 wrote to memory of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1312 wrote to memory of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1312 wrote to memory of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1312 wrote to memory of 1528 1312 tfqctjcgqi.exe tfqctjcgqi.exe PID 1528 wrote to memory of 1672 1528 tfqctjcgqi.exe cscript.exe PID 1528 wrote to memory of 1672 1528 tfqctjcgqi.exe cscript.exe PID 1528 wrote to memory of 1672 1528 tfqctjcgqi.exe cscript.exe PID 1528 wrote to memory of 1672 1528 tfqctjcgqi.exe cscript.exe PID 1672 wrote to memory of 1716 1672 cscript.exe cmd.exe PID 1672 wrote to memory of 1716 1672 cscript.exe cmd.exe PID 1672 wrote to memory of 1716 1672 cscript.exe cmd.exe PID 1672 wrote to memory of 1716 1672 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sample.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe" C:\Users\Admin\AppData\Local\Temp\oyteaj.af3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\acraquzzrv.waFilesize
205KB
MD5ba5bb92e4cea6bf49ca73e365be9f960
SHA1cbf53149f3e07623c7fc7fc3716d4a1c6b077380
SHA2560ecd8a4f58319df5f2f5811a31041383871e7c45b5600c56efb20e818d2bff4b
SHA5123d739b48fb9f6a9c94beffbefb226809c524e305d3f3c162897df64f4966259ea98b101f9e45bdccb9e9792a34c8c7e4071ed009a4e8e97df862fb79cb1f43ae
-
C:\Users\Admin\AppData\Local\Temp\oyteaj.afFilesize
5KB
MD5d226323818b9d22aa10cf72eb9ed674f
SHA1069a773dda5180ed9e5bf4f73281add4d2703363
SHA2567b735eb480e6eedbe671dcba131bc226aafd4c9b039318944d45ed3470b968e3
SHA512051a1de340d78040913a4d1845e0451cd33ae23e1d52c84f9ac419e2dcdfa7897e9b1b8f773ff8ae84c4722a3db14d085f19ce4e293d42518365320f7cba5a49
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Public\vbc.exeFilesize
340KB
MD570c2bfb3dd7b6467020e6ca5d7f037a3
SHA13fef1cb454c1760936795c94f4504bf0f9ee00ba
SHA256ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
SHA512e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
C:\Users\Public\vbc.exeFilesize
340KB
MD570c2bfb3dd7b6467020e6ca5d7f037a3
SHA13fef1cb454c1760936795c94f4504bf0f9ee00ba
SHA256ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
SHA512e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
\Users\Public\vbc.exeFilesize
340KB
MD570c2bfb3dd7b6467020e6ca5d7f037a3
SHA13fef1cb454c1760936795c94f4504bf0f9ee00ba
SHA256ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
SHA512e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
memory/292-61-0x0000000000000000-mapping.dmp
-
memory/844-68-0x0000000000000000-mapping.dmp
-
memory/844-69-0x000007FEFC101000-0x000007FEFC103000-memory.dmpFilesize
8KB
-
memory/1208-96-0x000007FE9B230000-0x000007FE9B23A000-memory.dmpFilesize
40KB
-
memory/1208-92-0x00000000076A0000-0x00000000077F4000-memory.dmpFilesize
1.3MB
-
memory/1208-82-0x0000000004F00000-0x0000000005016000-memory.dmpFilesize
1.1MB
-
memory/1208-79-0x0000000004DF0000-0x0000000004EF4000-memory.dmpFilesize
1.0MB
-
memory/1208-91-0x00000000076A0000-0x00000000077F4000-memory.dmpFilesize
1.3MB
-
memory/1208-95-0x000007FEF6000000-0x000007FEF6143000-memory.dmpFilesize
1.3MB
-
memory/1312-66-0x0000000000000000-mapping.dmp
-
memory/1320-54-0x0000000072BF1000-0x0000000072BF4000-memory.dmpFilesize
12KB
-
memory/1320-55-0x0000000070671000-0x0000000070673000-memory.dmpFilesize
8KB
-
memory/1320-94-0x000000007165D000-0x0000000071668000-memory.dmpFilesize
44KB
-
memory/1320-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-80-0x000000007165D000-0x0000000071668000-memory.dmpFilesize
44KB
-
memory/1320-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1320-57-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1320-58-0x000000007165D000-0x0000000071668000-memory.dmpFilesize
44KB
-
memory/1528-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1528-84-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1528-81-0x0000000000560000-0x0000000000574000-memory.dmpFilesize
80KB
-
memory/1528-78-0x00000000003C0000-0x00000000003D4000-memory.dmpFilesize
80KB
-
memory/1528-77-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1528-74-0x000000000041F130-mapping.dmp
-
memory/1672-85-0x0000000000DD0000-0x0000000000DF2000-memory.dmpFilesize
136KB
-
memory/1672-86-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/1672-88-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1672-89-0x00000000008D0000-0x0000000000963000-memory.dmpFilesize
588KB
-
memory/1672-90-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1672-83-0x0000000000000000-mapping.dmp
-
memory/1716-87-0x0000000000000000-mapping.dmp