formbook | 2354d413698648237984061bb9d82b2a12152c6109d6aa2694183ebff45f5ffc

Analysis

max time kernel
36s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

srr.rtf
Size

12KB
MD5

77c476f9668b541aa928996c984e8708
SHA1

1a72dbdd46449c2b209ce4cb15f355ad2cec0d35
SHA256

2354d413698648237984061bb9d82b2a12152c6109d6aa2694183ebff45f5ffc
SHA512

793f535d07263462bd9f5400dab367fd6cf5bacff88eadfd5a3541f5c72e31410d21f55bff40fa711096a04ecc1d857ebede44b5318f0b2046b445ccaca5fae0
SSDEEP

384:Jxx5tRJcEfynlp8qI7jSGakLjGlTuRGGw0LOg+2:XNcEfQpGj3ayGduRGl0b

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1504 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
3	1504	EQNEDT32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

favmswpwx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	favmswpwx.exe

Executes dropped EXE 3 IoCs

Processes:

vbc.exefavmswpwx.exefavmswpwx.exe

pid process

392 vbc.exe
912 favmswpwx.exe
1956 favmswpwx.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exefavmswpwx.exe

pid process

1504 EQNEDT32.EXE
392 vbc.exe
392 vbc.exe
912 favmswpwx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
392	vbc.exe
912	favmswpwx.exe
1956	favmswpwx.exe

pid	process
1504	EQNEDT32.EXE
392	vbc.exe
392	vbc.exe
912	favmswpwx.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

favmswpwx.exefavmswpwx.exe

description	pid	process	target process
PID 912 set thread context of 1956	912	favmswpwx.exe	favmswpwx.exe
PID 1956 set thread context of 1192	1956	favmswpwx.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1504 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1504	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2024 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

favmswpwx.exe

pid process

1956 favmswpwx.exe
1956 favmswpwx.exe
1956 favmswpwx.exe
1956 favmswpwx.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

favmswpwx.exefavmswpwx.exe

pid process

912 favmswpwx.exe
1956 favmswpwx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

favmswpwx.exe

description pid process

Token: SeDebugPrivilege 1956 favmswpwx.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2024 WINWORD.EXE
2024 WINWORD.EXE

pid	process
2024	WINWORD.EXE

pid	process
1956	favmswpwx.exe
1956	favmswpwx.exe
1956	favmswpwx.exe
1956	favmswpwx.exe

pid	process
912	favmswpwx.exe
1956	favmswpwx.exe

description	pid	process
Token: SeDebugPrivilege	1956	favmswpwx.exe

pid	process
2024	WINWORD.EXE
2024	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exefavmswpwx.exe

description	pid	process	target process
PID 1504 wrote to memory of 392	1504	EQNEDT32.EXE	vbc.exe
PID 1504 wrote to memory of 392	1504	EQNEDT32.EXE	vbc.exe
PID 1504 wrote to memory of 392	1504	EQNEDT32.EXE	vbc.exe
PID 1504 wrote to memory of 392	1504	EQNEDT32.EXE	vbc.exe
PID 392 wrote to memory of 912	392	vbc.exe	favmswpwx.exe
PID 392 wrote to memory of 912	392	vbc.exe	favmswpwx.exe
PID 392 wrote to memory of 912	392	vbc.exe	favmswpwx.exe
PID 392 wrote to memory of 912	392	vbc.exe	favmswpwx.exe
PID 912 wrote to memory of 1956	912	favmswpwx.exe	favmswpwx.exe
PID 912 wrote to memory of 1956	912	favmswpwx.exe	favmswpwx.exe
PID 912 wrote to memory of 1956	912	favmswpwx.exe	favmswpwx.exe
PID 912 wrote to memory of 1956	912	favmswpwx.exe	favmswpwx.exe
PID 912 wrote to memory of 1956	912	favmswpwx.exe	favmswpwx.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\srr.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe
"C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe" C:\Users\Admin\AppData\Local\Temp\ngfmqxc.dk
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe
"C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngfmqxc.dk
Filesize
5KB

MD5
112e351cecd04e37221dfdb0b0273bf6

SHA1
7b7615fdd12a60b9699fcc66ebcbbe52bec8c76f

SHA256
a8bcff431661ba118ae90700e4f20505def31ef7fadd4cb74a8e267212f37045

SHA512
6245fe3000bbe334c19f80a8df31dfcedf6f3e5e5558f29e53830381c016c7c882a06927a72999a9132478458826f73e4277e034054cd25d62e45c3526daa6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnfrwdaui.lyu
Filesize
204KB

MD5
eac91bd430229239b31a282d9403e6ab

SHA1
20c1d7ae9c616f71191e684d1027d6872b89932c

SHA256
2b23fa4e5acf39f8865e12104b18972f9b6f30d9b8f1a02bd7e278fc55380d7a

SHA512
a02835b38bc403ceccd597a3c8e4850c76eef20eda4904dfa781940a8900e2141dff9148ca54cca5ea29e513e1a7e6383fdfed16d69035891f6f07de25e662bb

Download Submit
C:\Users\Public\vbc.exe
Filesize
298KB

MD5
8dda4763833394bb973de7c7d57cd11e

SHA1
a54663ec3ba369aafa99f0b17bcc619647f5c576

SHA256
e4ae7f58c9e924cc6dac0208b5f6438e15174d978d013e0125f814af1509afb7

SHA512
b7273bf948656f23b882e25806e60d6f268e938866c4ff7b9632776fffdf8bc516387590bd22811582e00922dc4c9d232ef675a2ee8b754df1cfee0804a7b1a1

Download Submit
C:\Users\Public\vbc.exe
Filesize
298KB

MD5
8dda4763833394bb973de7c7d57cd11e

SHA1
a54663ec3ba369aafa99f0b17bcc619647f5c576

SHA256
e4ae7f58c9e924cc6dac0208b5f6438e15174d978d013e0125f814af1509afb7

SHA512
b7273bf948656f23b882e25806e60d6f268e938866c4ff7b9632776fffdf8bc516387590bd22811582e00922dc4c9d232ef675a2ee8b754df1cfee0804a7b1a1

Download Submit
\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
\Users\Admin\AppData\Local\Temp\favmswpwx.exe
Filesize
120KB

MD5
12c117fb1a2a279c79f5333c16df2d13

SHA1
aebd841afdd5855fc0a779bcbdd66cf6eb205512

SHA256
21d69211138b02e8f6c02e48936a432d4c284f8fdf76f062d0a845ac96fc6b27

SHA512
d8c380beffeace0e1bbdaf295ee3c4a2d74841a7b9e4f25a945dd107c14fda76b9566de50ac5c53e52de9fb69c249fdc4f404420281b30c9a7ffb7dc2a3d00fb

Download Submit
\Users\Public\vbc.exe
Filesize
298KB

MD5
8dda4763833394bb973de7c7d57cd11e

SHA1
a54663ec3ba369aafa99f0b17bcc619647f5c576

SHA256
e4ae7f58c9e924cc6dac0208b5f6438e15174d978d013e0125f814af1509afb7

SHA512
b7273bf948656f23b882e25806e60d6f268e938866c4ff7b9632776fffdf8bc516387590bd22811582e00922dc4c9d232ef675a2ee8b754df1cfee0804a7b1a1

Download Submit
memory/392-61-0x0000000000000000-mapping.dmp

Download
memory/912-67-0x0000000000000000-mapping.dmp

Download
memory/1192-80-0x0000000006A60000-0x0000000006BA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-76-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1956-77-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/1956-78-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1956-79-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/1956-73-0x00000000004012B0-mapping.dmp

Download
memory/1956-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2024-57-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000070731000-0x0000000070733000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2024-54-0x0000000072CB1000-0x0000000072CB4000-memory.dmp

Filesize
12KB

Download
memory/2024-58-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download