Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-02-2023 21:46
Static task
static1
Behavioral task
behavioral1
Sample
CONTRACT 2023.docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
CONTRACT 2023.docx
Resource
win10v2004-20220812-en
General
-
Target
CONTRACT 2023.docx
-
Size
10KB
-
MD5
db41e48f7d56dbc3543d29270b14f41a
-
SHA1
3561319bfedaa64e9468a8c452013e9a757fd111
-
SHA256
aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc
-
SHA512
ac9a9fdf069235b07539b89b85dcfa8be4fd2d306cea4139d8bb29c75c02cd852d3532701cd9b17086eb29cc9009818a37749001b527d53891f07d4c4a7ba03a
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOY/O+5+5F7Jar/YEChI35OJ:SPXRE7XtOY/7wtar/YECO5C
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1864-78-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1020-85-0x00000000000F0000-0x000000000011F000-memory.dmp formbook behavioral1/memory/1020-90-0x00000000000F0000-0x000000000011F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 844 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625003/O_O.DOC WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exenjxmhiqte.exenjxmhiqte.exepid process 1860 vbc.exe 1124 njxmhiqte.exe 1864 njxmhiqte.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exenjxmhiqte.exepid process 844 EQNEDT32.EXE 1860 vbc.exe 1124 njxmhiqte.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
njxmhiqte.exenjxmhiqte.exemsiexec.exedescription pid process target process PID 1124 set thread context of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1864 set thread context of 1312 1864 njxmhiqte.exe Explorer.EXE PID 1020 set thread context of 1312 1020 msiexec.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1544 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
njxmhiqte.exemsiexec.exepid process 1864 njxmhiqte.exe 1864 njxmhiqte.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe 1020 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
njxmhiqte.exenjxmhiqte.exemsiexec.exepid process 1124 njxmhiqte.exe 1864 njxmhiqte.exe 1864 njxmhiqte.exe 1864 njxmhiqte.exe 1020 msiexec.exe 1020 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
njxmhiqte.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1864 njxmhiqte.exe Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeDebugPrivilege 1020 msiexec.exe Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1544 WINWORD.EXE 1544 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEnjxmhiqte.exeExplorer.EXEmsiexec.exedescription pid process target process PID 844 wrote to memory of 1860 844 EQNEDT32.EXE vbc.exe PID 844 wrote to memory of 1860 844 EQNEDT32.EXE vbc.exe PID 844 wrote to memory of 1860 844 EQNEDT32.EXE vbc.exe PID 844 wrote to memory of 1860 844 EQNEDT32.EXE vbc.exe PID 1860 wrote to memory of 1124 1860 vbc.exe njxmhiqte.exe PID 1860 wrote to memory of 1124 1860 vbc.exe njxmhiqte.exe PID 1860 wrote to memory of 1124 1860 vbc.exe njxmhiqte.exe PID 1860 wrote to memory of 1124 1860 vbc.exe njxmhiqte.exe PID 1544 wrote to memory of 2012 1544 WINWORD.EXE splwow64.exe PID 1544 wrote to memory of 2012 1544 WINWORD.EXE splwow64.exe PID 1544 wrote to memory of 2012 1544 WINWORD.EXE splwow64.exe PID 1544 wrote to memory of 2012 1544 WINWORD.EXE splwow64.exe PID 1124 wrote to memory of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1124 wrote to memory of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1124 wrote to memory of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1124 wrote to memory of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1124 wrote to memory of 1864 1124 njxmhiqte.exe njxmhiqte.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1020 1312 Explorer.EXE msiexec.exe PID 1020 wrote to memory of 1644 1020 msiexec.exe cmd.exe PID 1020 wrote to memory of 1644 1020 msiexec.exe cmd.exe PID 1020 wrote to memory of 1644 1020 msiexec.exe cmd.exe PID 1020 wrote to memory of 1644 1020 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CONTRACT 2023.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aeqxmj.piaFilesize
205KB
MD5baec02094b35270a151460be6cd66e65
SHA17c26210d4c1c7f2add9a13164179649b3a3c9dbe
SHA256614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3
SHA5123d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.xFilesize
5KB
MD522a3bb50bacb64d72699f4e7642d550d
SHA19ec311fd68910b475b95f5bc187dfb00a385d58d
SHA2565bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327
SHA5126360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53
-
C:\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
C:\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
memory/1020-82-0x0000000000000000-mapping.dmp
-
memory/1020-84-0x0000000000E00000-0x0000000000E14000-memory.dmpFilesize
80KB
-
memory/1020-87-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1020-85-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/1020-90-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB
-
memory/1020-88-0x0000000000BC0000-0x0000000000C54000-memory.dmpFilesize
592KB
-
memory/1124-67-0x0000000000000000-mapping.dmp
-
memory/1312-89-0x0000000006380000-0x0000000006422000-memory.dmpFilesize
648KB
-
memory/1312-81-0x0000000006D60000-0x0000000006E7A000-memory.dmpFilesize
1.1MB
-
memory/1312-91-0x0000000006380000-0x0000000006422000-memory.dmpFilesize
648KB
-
memory/1544-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1544-55-0x0000000070751000-0x0000000070753000-memory.dmpFilesize
8KB
-
memory/1544-57-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1544-58-0x000000007173D000-0x0000000071748000-memory.dmpFilesize
44KB
-
memory/1544-59-0x000000007173D000-0x0000000071748000-memory.dmpFilesize
44KB
-
memory/1544-54-0x0000000072CD1000-0x0000000072CD4000-memory.dmpFilesize
12KB
-
memory/1644-86-0x0000000000000000-mapping.dmp
-
memory/1860-62-0x0000000000000000-mapping.dmp
-
memory/1864-80-0x0000000000280000-0x0000000000295000-memory.dmpFilesize
84KB
-
memory/1864-79-0x0000000000A10000-0x0000000000D13000-memory.dmpFilesize
3.0MB
-
memory/1864-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1864-75-0x000000000041F070-mapping.dmp
-
memory/2012-77-0x000007FEFC311000-0x000007FEFC313000-memory.dmpFilesize
8KB
-
memory/2012-71-0x0000000000000000-mapping.dmp