formbook | 9e89ae3e1c950baa301e0061cbbd578b35bd9bd016afd77ed9495c70a1999956

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/02/2023, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e89ae3e1c950baa301e0061cbbd578b35bd9bd016afd77ed9495c70a1999956.xlsx
Size

947KB
MD5

06eff9fb8f6098158272b5a9ff87f0fd
SHA1

934dbfa6420ece2eedc1b197bb52d72a733c35f7
SHA256

9e89ae3e1c950baa301e0061cbbd578b35bd9bd016afd77ed9495c70a1999956
SHA512

fc340415e01c1f7179c071c5eece2a39ce0aa3d0b16490d550ed26ac45187b2e56354bda2abad8ae8072cf77c7e134e647bf06b0ce3c40dea5193c1b6a014ec6
SSDEEP

24576:9jDnTuEKc8PJ5557OvpmXgBChtuZRb5imJ7EbuZAieK:tTOJ5557OAXECHuZRbYmJ7kQeK

Score

10^/10

formbook vr21 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr21

Decoy

detrop.ru

bolacash.club

thezoidtv.africa

bigartgallerystudio.com

doshkoljata.ru

gamesdaybuddiessingles.com

zonlin.net

thehilltoplodges.co.uk

fcvip.club

amandacurtinnutrition.com

londonairporttaxies.com

graniteteammates.com

devthanhvo.site

kl-thelabel.com

a1choice.net

amzprod.com

iwaint.com

device-children.com

canada-immigration-72440.com

irsdev.ru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1760-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1660-85-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/1660-88-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1956	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1908	name.exe
1456	qzggr.exe
1760	qzggr.exe

Loads dropped DLL 3 IoCs

pid	Process
1736	cmd.exe
1908	name.exe
1456	qzggr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 1760	1456	qzggr.exe	33
PID 1760 set thread context of 1248	1760	qzggr.exe	14
PID 1660 set thread context of 1248	1660	wuapp.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1956	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
368	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1760	qzggr.exe
1760	qzggr.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe
1660	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1456	qzggr.exe
1760	qzggr.exe
1760	qzggr.exe
1760	qzggr.exe
1660	wuapp.exe
1660	wuapp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	qzggr.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeDebugPrivilege	1660	wuapp.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
368	EXCEL.EXE
368	EXCEL.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1736	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 1736	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 1736	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 1736	1956	EQNEDT32.EXE	29
PID 1736 wrote to memory of 1908	1736	cmd.exe	31
PID 1736 wrote to memory of 1908	1736	cmd.exe	31
PID 1736 wrote to memory of 1908	1736	cmd.exe	31
PID 1736 wrote to memory of 1908	1736	cmd.exe	31
PID 1908 wrote to memory of 1456	1908	name.exe	32
PID 1908 wrote to memory of 1456	1908	name.exe	32
PID 1908 wrote to memory of 1456	1908	name.exe	32
PID 1908 wrote to memory of 1456	1908	name.exe	32
PID 1456 wrote to memory of 1760	1456	qzggr.exe	33
PID 1456 wrote to memory of 1760	1456	qzggr.exe	33
PID 1456 wrote to memory of 1760	1456	qzggr.exe	33
PID 1456 wrote to memory of 1760	1456	qzggr.exe	33
PID 1456 wrote to memory of 1760	1456	qzggr.exe	33
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1248 wrote to memory of 1660	1248	Explorer.EXE	34
PID 1660 wrote to memory of 464	1660	wuapp.exe	36
PID 1660 wrote to memory of 464	1660	wuapp.exe	36
PID 1660 wrote to memory of 464	1660	wuapp.exe	36
PID 1660 wrote to memory of 464	1660	wuapp.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9e89ae3e1c950baa301e0061cbbd578b35bd9bd016afd77ed9495c70a1999956.xlsx
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:368
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\qzggr.exe"
    3⤵
    PID:464

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Public\name.exe
    C:\Users\Public\name.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\qzggr.exe
      "C:\Users\Admin\AppData\Local\Temp\qzggr.exe" C:\Users\Admin\AppData\Local\Temp\vrkajusb.f
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\qzggr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qzggr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hbxhxppk.gcg

Filesize
205KB

MD5
0673fd0429589c093abcdf172f69f096

SHA1
ce5c989c1ff34316f837628b7ab3f671d755918b

SHA256
a455a81c7cfde0c60158d1f2c810633ffa8e6771fdf4f7fda75978630070a18c

SHA512
0fb712b6a0059ddc0a5332a8fd45d8a75dd638303321a4f56850a79c92007e1a22c78fd988cb357148219cbe80c4555543b7e555a27a42b2890088ef3200ed0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkajusb.f

Filesize
5KB

MD5
60206627e23f12fdeb3d4da96ecf9e8c

SHA1
cecd003a725d48faa1bdea2a790c9861353f055e

SHA256
ef2a87e8c4f7b0799d14b82f2e88392782e5ad145cd0aaf55f6b6bb2c0b86909

SHA512
3a88ab5017c59c45d0aff0c2536d45eb4c66ba28a025da53da00c1fa37a16d22fd4082c66195632d6ebdd3a01592693269ae4f836a694d6adc16a36405ceb8c1

Download Submit
C:\Users\Public\name.exe

Filesize
365KB

MD5
bc0b06402e7d1c9137ddc147b44bb3f1

SHA1
98e045b8c32bf6df991dfaddf4f03298acab0b08

SHA256
498657673492910709e321035e4fabe392e1a297e2ae2653fcb5464279d47de0

SHA512
f59df21f5e92286c1e1d435415c0a5b555a233978dcbc66efdf3459e9f6a7f93219bb4772b81525c2602473490ddda81810ffc47314290856dd18f3d4dcda730

Download Submit
C:\Users\Public\name.exe

Filesize
365KB

MD5
bc0b06402e7d1c9137ddc147b44bb3f1

SHA1
98e045b8c32bf6df991dfaddf4f03298acab0b08

SHA256
498657673492910709e321035e4fabe392e1a297e2ae2653fcb5464279d47de0

SHA512
f59df21f5e92286c1e1d435415c0a5b555a233978dcbc66efdf3459e9f6a7f93219bb4772b81525c2602473490ddda81810ffc47314290856dd18f3d4dcda730

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Public\name.exe

Filesize
365KB

MD5
bc0b06402e7d1c9137ddc147b44bb3f1

SHA1
98e045b8c32bf6df991dfaddf4f03298acab0b08

SHA256
498657673492910709e321035e4fabe392e1a297e2ae2653fcb5464279d47de0

SHA512
f59df21f5e92286c1e1d435415c0a5b555a233978dcbc66efdf3459e9f6a7f93219bb4772b81525c2602473490ddda81810ffc47314290856dd18f3d4dcda730

Download Submit
memory/368-76-0x000000006C7D1000-0x000000006C7D3000-memory.dmp

Filesize
8KB

Download
memory/368-81-0x000000007227D000-0x0000000072288000-memory.dmp

Filesize
44KB

Download
memory/368-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-69-0x000000006C311000-0x000000006C313000-memory.dmp

Filesize
8KB

Download
memory/368-58-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/368-57-0x000000007227D000-0x0000000072288000-memory.dmp

Filesize
44KB

Download
memory/368-92-0x000000007227D000-0x0000000072288000-memory.dmp

Filesize
44KB

Download
memory/368-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-54-0x000000002F5D1000-0x000000002F5D4000-memory.dmp

Filesize
12KB

Download
memory/368-55-0x0000000071291000-0x0000000071293000-memory.dmp

Filesize
8KB

Download
memory/1248-94-0x000007FED2410000-0x000007FED241A000-memory.dmp

Filesize
40KB

Download
memory/1248-90-0x0000000007260000-0x0000000007308000-memory.dmp

Filesize
672KB

Download
memory/1248-80-0x00000000049C0000-0x0000000004A75000-memory.dmp

Filesize
724KB

Download
memory/1248-89-0x0000000007260000-0x0000000007308000-memory.dmp

Filesize
672KB

Download
memory/1248-93-0x000007FEF64B0000-0x000007FEF65F3000-memory.dmp

Filesize
1.3MB

Download
memory/1660-86-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/1660-84-0x0000000000CB0000-0x0000000000CBB000-memory.dmp

Filesize
44KB

Download
memory/1660-85-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1660-87-0x00000000008D0000-0x0000000000963000-memory.dmp

Filesize
588KB

Download
memory/1660-88-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1760-79-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1760-78-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1760-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download