formbook | d7e98e5c75b815ee296b523c269453efdca996595b44c6e33ea0b112f34f8b3b

Analysis

max time kernel
148s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-02-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

O_O.rtf
Size

13KB
MD5

aedb3953dd70f03351f2cf98ed82e141
SHA1

6610f485d292277a4afc3b91cf09a66b51c68fc4
SHA256

d7e98e5c75b815ee296b523c269453efdca996595b44c6e33ea0b112f34f8b3b
SHA512

6ad736036664831e313012129123964ebafd192a595282cc3f1b8b47b379d8f12736e0001f1c4f4c16e2a53afa5fe70eca555dc037f8160702c3a093e0c88a49
SSDEEP

192:7PsNGkkB2827ZFZuEHeNs3St0zD+yMUztAVVYXOsxITpg/YqAOiTfQ/j/P:7POCk7DeNs3St25hYgOlq5awjX

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1340-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1340-83-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1244-86-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1244-90-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1460 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exenjxmhiqte.exenjxmhiqte.exe

pid process

1516 vbc.exe
1632 njxmhiqte.exe
1340 njxmhiqte.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exenjxmhiqte.exe

pid process

1460 EQNEDT32.EXE
1516 vbc.exe
1632 njxmhiqte.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	1460	EQNEDT32.EXE

pid	process
1516	vbc.exe
1632	njxmhiqte.exe
1340	njxmhiqte.exe

pid	process
1460	EQNEDT32.EXE
1516	vbc.exe
1632	njxmhiqte.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exewlanext.exe

description	pid	process	target process
PID 1632 set thread context of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1340 set thread context of 1216	1340	njxmhiqte.exe	Explorer.EXE
PID 1340 set thread context of 1216	1340	njxmhiqte.exe	Explorer.EXE
PID 1244 set thread context of 1216	1244	wlanext.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1460 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1460	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1744 WINWORD.EXE

pid	process
1744	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

njxmhiqte.exewlanext.exe

pid	process
1340	njxmhiqte.exe
1340	njxmhiqte.exe
1340	njxmhiqte.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe
1244	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exewlanext.exe

pid process

1632 njxmhiqte.exe
1340 njxmhiqte.exe
1340 njxmhiqte.exe
1340 njxmhiqte.exe
1340 njxmhiqte.exe
1244 wlanext.exe
1244 wlanext.exe

pid	process
1632	njxmhiqte.exe
1340	njxmhiqte.exe
1340	njxmhiqte.exe
1340	njxmhiqte.exe
1340	njxmhiqte.exe
1244	wlanext.exe
1244	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

njxmhiqte.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1340	njxmhiqte.exe
Token: SeDebugPrivilege	1244	wlanext.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1744 WINWORD.EXE
1744 WINWORD.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1744	WINWORD.EXE
1744	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEvbc.exenjxmhiqte.exenjxmhiqte.exewlanext.exeWINWORD.EXE

description	pid	process	target process
PID 1460 wrote to memory of 1516	1460	EQNEDT32.EXE	vbc.exe
PID 1460 wrote to memory of 1516	1460	EQNEDT32.EXE	vbc.exe
PID 1460 wrote to memory of 1516	1460	EQNEDT32.EXE	vbc.exe
PID 1460 wrote to memory of 1516	1460	EQNEDT32.EXE	vbc.exe
PID 1516 wrote to memory of 1632	1516	vbc.exe	njxmhiqte.exe
PID 1516 wrote to memory of 1632	1516	vbc.exe	njxmhiqte.exe
PID 1516 wrote to memory of 1632	1516	vbc.exe	njxmhiqte.exe
PID 1516 wrote to memory of 1632	1516	vbc.exe	njxmhiqte.exe
PID 1632 wrote to memory of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1632 wrote to memory of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1632 wrote to memory of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1632 wrote to memory of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1632 wrote to memory of 1340	1632	njxmhiqte.exe	njxmhiqte.exe
PID 1340 wrote to memory of 1244	1340	njxmhiqte.exe	wlanext.exe
PID 1340 wrote to memory of 1244	1340	njxmhiqte.exe	wlanext.exe
PID 1340 wrote to memory of 1244	1340	njxmhiqte.exe	wlanext.exe
PID 1340 wrote to memory of 1244	1340	njxmhiqte.exe	wlanext.exe
PID 1244 wrote to memory of 1636	1244	wlanext.exe	cmd.exe
PID 1244 wrote to memory of 1636	1244	wlanext.exe	cmd.exe
PID 1244 wrote to memory of 1636	1244	wlanext.exe	cmd.exe
PID 1244 wrote to memory of 1636	1244	wlanext.exe	cmd.exe
PID 1744 wrote to memory of 1652	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1652	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1652	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1652	1744	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\O_O.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1652

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
5⤵
PID:692

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
5⤵
PID:1148

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
5⤵
PID:1008

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
6⤵
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aeqxmj.pia
Filesize
205KB

MD5
baec02094b35270a151460be6cd66e65

SHA1
7c26210d4c1c7f2add9a13164179649b3a3c9dbe

SHA256
614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3

SHA512
3d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
Filesize
5KB

MD5
22a3bb50bacb64d72699f4e7642d550d

SHA1
9ec311fd68910b475b95f5bc187dfb00a385d58d

SHA256
5bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327

SHA512
6360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53

Download Submit
C:\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
C:\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
\Users\Public\vbc.exe
Filesize
432KB

MD5
e3a874c6e454d2591f5380be7aa4dff4

SHA1
3714bee104682ecc3867aa84f9b049d3b6d58639

SHA256
9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

SHA512
6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e

Download Submit
memory/1216-78-0x0000000005140000-0x000000000525D000-memory.dmp

Filesize
1.1MB

Download
memory/1216-89-0x0000000008450000-0x00000000085BB000-memory.dmp

Filesize
1.4MB

Download
memory/1216-81-0x0000000007810000-0x00000000079AF000-memory.dmp

Filesize
1.6MB

Download
memory/1216-93-0x0000000008450000-0x00000000085BB000-memory.dmp

Filesize
1.4MB

Download
memory/1244-87-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/1244-86-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1244-85-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/1244-88-0x0000000001D70000-0x0000000001E04000-memory.dmp

Filesize
592KB

Download
memory/1244-82-0x0000000000000000-mapping.dmp

Download
memory/1244-90-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1340-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-80-0x00000000006F0000-0x0000000000705000-memory.dmp

Filesize
84KB

Download
memory/1340-76-0x00000000009D0000-0x0000000000CD3000-memory.dmp

Filesize
3.0MB

Download
memory/1340-77-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/1340-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-73-0x000000000041F070-mapping.dmp

Download
memory/1516-61-0x0000000000000000-mapping.dmp

Download
memory/1632-66-0x0000000000000000-mapping.dmp

Download
memory/1636-84-0x0000000000000000-mapping.dmp

Download
memory/1652-91-0x0000000000000000-mapping.dmp

Download
memory/1652-92-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/1744-54-0x0000000072B51000-0x0000000072B54000-memory.dmp

Filesize
12KB

Download
memory/1744-57-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1744-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1744-58-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/1744-79-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/1744-55-0x00000000705D1000-0x00000000705D3000-memory.dmp

Filesize
8KB

Download