Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-02-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
O_O.rtf
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
O_O.rtf
Resource
win10v2004-20220812-en
General
-
Target
O_O.rtf
-
Size
13KB
-
MD5
aedb3953dd70f03351f2cf98ed82e141
-
SHA1
6610f485d292277a4afc3b91cf09a66b51c68fc4
-
SHA256
d7e98e5c75b815ee296b523c269453efdca996595b44c6e33ea0b112f34f8b3b
-
SHA512
6ad736036664831e313012129123964ebafd192a595282cc3f1b8b47b379d8f12736e0001f1c4f4c16e2a53afa5fe70eca555dc037f8160702c3a093e0c88a49
-
SSDEEP
192:7PsNGkkB2827ZFZuEHeNs3St0zD+yMUztAVVYXOsxITpg/YqAOiTfQ/j/P:7POCk7DeNs3St25hYgOlq5awjX
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1340-83-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1244-86-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1244-90-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1460 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exenjxmhiqte.exenjxmhiqte.exepid process 1516 vbc.exe 1632 njxmhiqte.exe 1340 njxmhiqte.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exenjxmhiqte.exepid process 1460 EQNEDT32.EXE 1516 vbc.exe 1632 njxmhiqte.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
njxmhiqte.exenjxmhiqte.exewlanext.exedescription pid process target process PID 1632 set thread context of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1340 set thread context of 1216 1340 njxmhiqte.exe Explorer.EXE PID 1340 set thread context of 1216 1340 njxmhiqte.exe Explorer.EXE PID 1244 set thread context of 1216 1244 wlanext.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1744 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
njxmhiqte.exewlanext.exepid process 1340 njxmhiqte.exe 1340 njxmhiqte.exe 1340 njxmhiqte.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe 1244 wlanext.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
njxmhiqte.exenjxmhiqte.exewlanext.exepid process 1632 njxmhiqte.exe 1340 njxmhiqte.exe 1340 njxmhiqte.exe 1340 njxmhiqte.exe 1340 njxmhiqte.exe 1244 wlanext.exe 1244 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
njxmhiqte.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1340 njxmhiqte.exe Token: SeDebugPrivilege 1244 wlanext.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1744 WINWORD.EXE 1744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEvbc.exenjxmhiqte.exenjxmhiqte.exewlanext.exeWINWORD.EXEdescription pid process target process PID 1460 wrote to memory of 1516 1460 EQNEDT32.EXE vbc.exe PID 1460 wrote to memory of 1516 1460 EQNEDT32.EXE vbc.exe PID 1460 wrote to memory of 1516 1460 EQNEDT32.EXE vbc.exe PID 1460 wrote to memory of 1516 1460 EQNEDT32.EXE vbc.exe PID 1516 wrote to memory of 1632 1516 vbc.exe njxmhiqte.exe PID 1516 wrote to memory of 1632 1516 vbc.exe njxmhiqte.exe PID 1516 wrote to memory of 1632 1516 vbc.exe njxmhiqte.exe PID 1516 wrote to memory of 1632 1516 vbc.exe njxmhiqte.exe PID 1632 wrote to memory of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1632 wrote to memory of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1632 wrote to memory of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1632 wrote to memory of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1632 wrote to memory of 1340 1632 njxmhiqte.exe njxmhiqte.exe PID 1340 wrote to memory of 1244 1340 njxmhiqte.exe wlanext.exe PID 1340 wrote to memory of 1244 1340 njxmhiqte.exe wlanext.exe PID 1340 wrote to memory of 1244 1340 njxmhiqte.exe wlanext.exe PID 1340 wrote to memory of 1244 1340 njxmhiqte.exe wlanext.exe PID 1244 wrote to memory of 1636 1244 wlanext.exe cmd.exe PID 1244 wrote to memory of 1636 1244 wlanext.exe cmd.exe PID 1244 wrote to memory of 1636 1244 wlanext.exe cmd.exe PID 1244 wrote to memory of 1636 1244 wlanext.exe cmd.exe PID 1744 wrote to memory of 1652 1744 WINWORD.EXE splwow64.exe PID 1744 wrote to memory of 1652 1744 WINWORD.EXE splwow64.exe PID 1744 wrote to memory of 1652 1744 WINWORD.EXE splwow64.exe PID 1744 wrote to memory of 1652 1744 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1216 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\O_O.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1652
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"5⤵PID:692
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"5⤵PID:1148
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"5⤵PID:1008
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"6⤵PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aeqxmj.piaFilesize
205KB
MD5baec02094b35270a151460be6cd66e65
SHA17c26210d4c1c7f2add9a13164179649b3a3c9dbe
SHA256614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3
SHA5123d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.xFilesize
5KB
MD522a3bb50bacb64d72699f4e7642d550d
SHA19ec311fd68910b475b95f5bc187dfb00a385d58d
SHA2565bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327
SHA5126360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53
-
C:\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
C:\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
\Users\Admin\AppData\Local\Temp\njxmhiqte.exeFilesize
322KB
MD560ee2623954b697257bb49f0189d751a
SHA12598c631a24546a707cbc797dbe2772512f08b49
SHA25680ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c
SHA512f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459
-
\Users\Public\vbc.exeFilesize
432KB
MD5e3a874c6e454d2591f5380be7aa4dff4
SHA13714bee104682ecc3867aa84f9b049d3b6d58639
SHA2569e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA5126eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
-
memory/1216-78-0x0000000005140000-0x000000000525D000-memory.dmpFilesize
1.1MB
-
memory/1216-89-0x0000000008450000-0x00000000085BB000-memory.dmpFilesize
1.4MB
-
memory/1216-81-0x0000000007810000-0x00000000079AF000-memory.dmpFilesize
1.6MB
-
memory/1216-93-0x0000000008450000-0x00000000085BB000-memory.dmpFilesize
1.4MB
-
memory/1244-87-0x0000000001F70000-0x0000000002273000-memory.dmpFilesize
3.0MB
-
memory/1244-86-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1244-85-0x00000000002A0000-0x00000000002B6000-memory.dmpFilesize
88KB
-
memory/1244-88-0x0000000001D70000-0x0000000001E04000-memory.dmpFilesize
592KB
-
memory/1244-82-0x0000000000000000-mapping.dmp
-
memory/1244-90-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1340-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1340-80-0x00000000006F0000-0x0000000000705000-memory.dmpFilesize
84KB
-
memory/1340-76-0x00000000009D0000-0x0000000000CD3000-memory.dmpFilesize
3.0MB
-
memory/1340-77-0x0000000000450000-0x0000000000465000-memory.dmpFilesize
84KB
-
memory/1340-83-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1340-73-0x000000000041F070-mapping.dmp
-
memory/1516-61-0x0000000000000000-mapping.dmp
-
memory/1632-66-0x0000000000000000-mapping.dmp
-
memory/1636-84-0x0000000000000000-mapping.dmp
-
memory/1652-91-0x0000000000000000-mapping.dmp
-
memory/1652-92-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/1744-54-0x0000000072B51000-0x0000000072B54000-memory.dmpFilesize
12KB
-
memory/1744-57-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1744-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1744-58-0x00000000715BD000-0x00000000715C8000-memory.dmpFilesize
44KB
-
memory/1744-79-0x00000000715BD000-0x00000000715C8000-memory.dmpFilesize
44KB
-
memory/1744-55-0x00000000705D1000-0x00000000705D3000-memory.dmpFilesize
8KB