Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 12:06
Static task
static1
Behavioral task
behavioral1
Sample
Updated ORDER.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Updated ORDER.docx
Resource
win10v2004-20221111-en
General
-
Target
Updated ORDER.docx
-
Size
11KB
-
MD5
98d58338e27f9aad2ef3c5a0a4df20ab
-
SHA1
1af7e9a0b504f116db06090cb229c64b54a607b8
-
SHA256
5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
-
SHA512
dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-77-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1936-85-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2044-89-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/2044-92-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXErundll32.exeflow pid process 7 1756 EQNEDT32.EXE 15 2044 rundll32.exe -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625003/O--O.DOC WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exervcgltry.exervcgltry.exepid process 1744 vbc.exe 1916 rvcgltry.exe 1936 rvcgltry.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exervcgltry.exepid process 1756 EQNEDT32.EXE 1744 vbc.exe 1916 rvcgltry.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
rvcgltry.exervcgltry.exerundll32.exedescription pid process target process PID 1916 set thread context of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1936 set thread context of 1260 1936 rvcgltry.exe Explorer.EXE PID 1936 set thread context of 1260 1936 rvcgltry.exe Explorer.EXE PID 2044 set thread context of 1260 2044 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
rvcgltry.exerundll32.exepid process 1936 rvcgltry.exe 1936 rvcgltry.exe 1936 rvcgltry.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rvcgltry.exervcgltry.exerundll32.exepid process 1916 rvcgltry.exe 1936 rvcgltry.exe 1936 rvcgltry.exe 1936 rvcgltry.exe 1936 rvcgltry.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rvcgltry.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 1936 rvcgltry.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 2044 rundll32.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE 1516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEvbc.exervcgltry.exeWINWORD.EXEExplorer.EXErundll32.exedescription pid process target process PID 1756 wrote to memory of 1744 1756 EQNEDT32.EXE vbc.exe PID 1756 wrote to memory of 1744 1756 EQNEDT32.EXE vbc.exe PID 1756 wrote to memory of 1744 1756 EQNEDT32.EXE vbc.exe PID 1756 wrote to memory of 1744 1756 EQNEDT32.EXE vbc.exe PID 1744 wrote to memory of 1916 1744 vbc.exe rvcgltry.exe PID 1744 wrote to memory of 1916 1744 vbc.exe rvcgltry.exe PID 1744 wrote to memory of 1916 1744 vbc.exe rvcgltry.exe PID 1744 wrote to memory of 1916 1744 vbc.exe rvcgltry.exe PID 1916 wrote to memory of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1916 wrote to memory of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1916 wrote to memory of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1916 wrote to memory of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1916 wrote to memory of 1936 1916 rvcgltry.exe rvcgltry.exe PID 1516 wrote to memory of 1728 1516 WINWORD.EXE splwow64.exe PID 1516 wrote to memory of 1728 1516 WINWORD.EXE splwow64.exe PID 1516 wrote to memory of 1728 1516 WINWORD.EXE splwow64.exe PID 1516 wrote to memory of 1728 1516 WINWORD.EXE splwow64.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 1260 wrote to memory of 2044 1260 Explorer.EXE rundll32.exe PID 2044 wrote to memory of 1588 2044 rundll32.exe cmd.exe PID 2044 wrote to memory of 1588 2044 rundll32.exe cmd.exe PID 2044 wrote to memory of 1588 2044 rundll32.exe cmd.exe PID 2044 wrote to memory of 1588 2044 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Updated ORDER.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe" C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.r3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\tclpuoflals.opyFilesize
205KB
MD5deac0048a0c6ec356070a82ce292fe6f
SHA1537f69f232356d953ce0474032efb7bcd14ef39f
SHA256dafcc435e99f4fd4798fdd740b6379685764037093d83547ffb500f043f1d646
SHA5124e51b1a11c010f5525c6774234f33f7c4076c067bd1cd7921cdc7c204f2032e9939b4c4740f049740ad957e5a8b1f0f1b0ed7b15c6b97f3571c6feed0d31557e
-
C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.rFilesize
6KB
MD563ea2b1b129b3bdb981a0ab43167e734
SHA197f8c5869717e0fc9625aa128b0b9f473121bc0b
SHA256db767d3f93786d24e935f5ee35b65ea6038b786cf6e57ade24404de162a0de84
SHA5121f707e603fec74832e55bb57803461c45408ff17bd00222fb17d0bbd5faac2bb0365897e00ebaa18cdd5d84780c1153b87f7f049af8cc35306f6ffda1d878b7e
-
C:\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
C:\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
memory/1260-83-0x00000000074A0000-0x0000000007632000-memory.dmpFilesize
1.6MB
-
memory/1260-94-0x0000000004C90000-0x0000000004D72000-memory.dmpFilesize
904KB
-
memory/1260-93-0x0000000004C90000-0x0000000004D72000-memory.dmpFilesize
904KB
-
memory/1260-80-0x0000000004E20000-0x0000000004FBB000-memory.dmpFilesize
1.6MB
-
memory/1516-54-0x00000000727A1000-0x00000000727A4000-memory.dmpFilesize
12KB
-
memory/1516-59-0x000000007120D000-0x0000000071218000-memory.dmpFilesize
44KB
-
memory/1516-58-0x000000007120D000-0x0000000071218000-memory.dmpFilesize
44KB
-
memory/1516-57-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1516-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1516-55-0x0000000070221000-0x0000000070223000-memory.dmpFilesize
8KB
-
memory/1588-87-0x0000000000000000-mapping.dmp
-
memory/1728-76-0x0000000000000000-mapping.dmp
-
memory/1728-81-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/1744-62-0x0000000000000000-mapping.dmp
-
memory/1916-67-0x0000000000000000-mapping.dmp
-
memory/1936-74-0x000000000041F070-mapping.dmp
-
memory/1936-82-0x00000000003A0000-0x00000000003B5000-memory.dmpFilesize
84KB
-
memory/1936-85-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1936-79-0x00000000002A0000-0x00000000002B5000-memory.dmpFilesize
84KB
-
memory/1936-78-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1936-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2044-84-0x0000000000000000-mapping.dmp
-
memory/2044-88-0x00000000009F0000-0x00000000009FE000-memory.dmpFilesize
56KB
-
memory/2044-89-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/2044-90-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/2044-91-0x0000000001EA0000-0x0000000001F34000-memory.dmpFilesize
592KB
-
memory/2044-92-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB