formbook | aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc

Resubmissions

16-02-2023 22:10

230216-13ezcacc92 10

16-02-2023 21:46

230216-1mmz1sbh3t 10

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-02-2023 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTRACT 2023.docx
Size

10KB
MD5

db41e48f7d56dbc3543d29270b14f41a
SHA1

3561319bfedaa64e9468a8c452013e9a757fd111
SHA256

aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc
SHA512

ac9a9fdf069235b07539b89b85dcfa8be4fd2d306cea4139d8bb29c75c02cd852d3532701cd9b17086eb29cc9009818a37749001b527d53891f07d4c4a7ba03a
SSDEEP

192:ScIMmtP5hG/b7XN+eOY/O+5+5F7Jar/YEChI35OJ:SPXRE7XtOY/7wtar/YECO5C

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1864-78-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1020-85-0x00000000000F0000-0x000000000011F000-memory.dmp	formbook
behavioral1/memory/1020-90-0x00000000000F0000-0x000000000011F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 844 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	844	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625003/O_O.DOC	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.exenjxmhiqte.exenjxmhiqte.exe

pid process

1860 vbc.exe
1124 njxmhiqte.exe
1864 njxmhiqte.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exenjxmhiqte.exe

pid process

844 EQNEDT32.EXE
1860 vbc.exe
1124 njxmhiqte.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1860	vbc.exe
1124	njxmhiqte.exe
1864	njxmhiqte.exe

pid	process
844	EQNEDT32.EXE
1860	vbc.exe
1124	njxmhiqte.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exemsiexec.exe

description	pid	process	target process
PID 1124 set thread context of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1864 set thread context of 1312	1864	njxmhiqte.exe	Explorer.EXE
PID 1020 set thread context of 1312	1020	msiexec.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

844 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
844	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1544 WINWORD.EXE

pid	process
1544	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

njxmhiqte.exemsiexec.exe

pid	process
1864	njxmhiqte.exe
1864	njxmhiqte.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe
1020	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exemsiexec.exe

pid process

1124 njxmhiqte.exe
1864 njxmhiqte.exe
1864 njxmhiqte.exe
1864 njxmhiqte.exe
1020 msiexec.exe
1020 msiexec.exe

pid	process
1124	njxmhiqte.exe
1864	njxmhiqte.exe
1864	njxmhiqte.exe
1864	njxmhiqte.exe
1020	msiexec.exe
1020	msiexec.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

njxmhiqte.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1864	njxmhiqte.exe
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeDebugPrivilege	1020	msiexec.exe
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1544 WINWORD.EXE
1544 WINWORD.EXE

pid	process
1544	WINWORD.EXE
1544	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEnjxmhiqte.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 844 wrote to memory of 1860	844	EQNEDT32.EXE	vbc.exe
PID 844 wrote to memory of 1860	844	EQNEDT32.EXE	vbc.exe
PID 844 wrote to memory of 1860	844	EQNEDT32.EXE	vbc.exe
PID 844 wrote to memory of 1860	844	EQNEDT32.EXE	vbc.exe
PID 1860 wrote to memory of 1124	1860	vbc.exe	njxmhiqte.exe
PID 1860 wrote to memory of 1124	1860	vbc.exe	njxmhiqte.exe
PID 1860 wrote to memory of 1124	1860	vbc.exe	njxmhiqte.exe
PID 1860 wrote to memory of 1124	1860	vbc.exe	njxmhiqte.exe
PID 1544 wrote to memory of 2012	1544	WINWORD.EXE	splwow64.exe
PID 1544 wrote to memory of 2012	1544	WINWORD.EXE	splwow64.exe
PID 1544 wrote to memory of 2012	1544	WINWORD.EXE	splwow64.exe
PID 1544 wrote to memory of 2012	1544	WINWORD.EXE	splwow64.exe
PID 1124 wrote to memory of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1124 wrote to memory of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1124 wrote to memory of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1124 wrote to memory of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1124 wrote to memory of 1864	1124	njxmhiqte.exe	njxmhiqte.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1312 wrote to memory of 1020	1312	Explorer.EXE	msiexec.exe
PID 1020 wrote to memory of 1644	1020	msiexec.exe	cmd.exe
PID 1020 wrote to memory of 1644	1020	msiexec.exe	cmd.exe
PID 1020 wrote to memory of 1644	1020	msiexec.exe	cmd.exe
PID 1020 wrote to memory of 1644	1020	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CONTRACT 2023.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2012

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
3⤵
PID:1644

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aeqxmj.pia
Filesize
205KB

MD5
baec02094b35270a151460be6cd66e65

SHA1
7c26210d4c1c7f2add9a13164179649b3a3c9dbe

SHA256
614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3

SHA512
3d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
Filesize
5KB

MD5
22a3bb50bacb64d72699f4e7642d550d

SHA1
9ec311fd68910b475b95f5bc187dfb00a385d58d

SHA256
5bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327

SHA512
6360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53

Download Submit
C:\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
C:\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
memory/1020-82-0x0000000000000000-mapping.dmp

Download
memory/1020-84-0x0000000000E00000-0x0000000000E14000-memory.dmp

Filesize
80KB

Download
memory/1020-87-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/1020-85-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/1020-90-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/1020-88-0x0000000000BC0000-0x0000000000C54000-memory.dmp

Filesize
592KB

Download
memory/1124-67-0x0000000000000000-mapping.dmp

Download
memory/1312-89-0x0000000006380000-0x0000000006422000-memory.dmp

Filesize
648KB

Download
memory/1312-81-0x0000000006D60000-0x0000000006E7A000-memory.dmp

Filesize
1.1MB

Download
memory/1312-91-0x0000000006380000-0x0000000006422000-memory.dmp

Filesize
648KB

Download
memory/1544-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1544-55-0x0000000070751000-0x0000000070753000-memory.dmp

Filesize
8KB

Download
memory/1544-57-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1544-58-0x000000007173D000-0x0000000071748000-memory.dmp

Filesize
44KB

Download
memory/1544-59-0x000000007173D000-0x0000000071748000-memory.dmp

Filesize
44KB

Download
memory/1544-54-0x0000000072CD1000-0x0000000072CD4000-memory.dmp

Filesize
12KB

Download
memory/1644-86-0x0000000000000000-mapping.dmp

Download
memory/1860-62-0x0000000000000000-mapping.dmp

Download
memory/1864-80-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download
memory/1864-79-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/1864-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-75-0x000000000041F070-mapping.dmp

Download
memory/2012-77-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/2012-71-0x0000000000000000-mapping.dmp

Download