Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 18:59
Static task
static1
Behavioral task
behavioral1
Sample
1 payment cash Deposit.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1 payment cash Deposit.rtf
Resource
win10v2004-20230220-en
General
-
Target
1 payment cash Deposit.rtf
-
Size
1.8MB
-
MD5
eda174e3f27c80dcd19abfb5400c50d9
-
SHA1
14002d710bb0fc29a8103d3909c542e680020f63
-
SHA256
d6f3694d7c009f73f53fa28d77a65eafd3ae19c9d219982a71f150c514a86584
-
SHA512
9f6f9d61bc3de47b155d3d3aeed8044fe1b2951ea4ac89402e2dcf3decf991888ed28afb72e79c41abbc584ea51be98c08bc520aadb6531bb63ed77283e058e4
-
SSDEEP
24576:oyNh+vkSpIGa2e761oZziemHIYQGohgxg3je6H3qPwHDaw/oKmDJ9QZEpJqiLq38:y
Malware Config
Extracted
formbook
4.1
bn26
juweipai.com
assurance-mon-espace-sante.com
robqq.com
ablindear.com
socialmonkeys.co.uk
learningworldtech.com
imprese-it.com
themoodcollectives.africa
lutonmethodists.org.uk
castawaycovebnb.com
caronthemove.com
carolinacastro.uk
dcfashionweekintl.com
branchbasicsa.com
drpatrickakinsanya.africa
inventourownfuture.com
applege.top
whatamitiredof.com
daphan.pics
gardenstatevinyl.net
autocashflux.com
travelldn.co.uk
rietedelgobierno.net
bkcoin.info
tnpgroup.africa
ch8love.top
benrihome.com
fangjiejie.com
lasherasflorida.com
goldenfestivals.com
coeminnamfbank.africa
daily-farming.com
heart-attacktreatment.site
apexcarleasing.com
kronepol.buzz
flickflowgames.com
guanyuanlin.com
manualtherapycolchester.co.uk
bastuochspa.se
sherfreight.com
bosscitylabs.com
chantelle-ford.com
joshuaumeoha.africa
gamersfamilycheaters.com
janjicmedia.com
antiquality.club
bgods-guitars.com
97she82.xyz
herbertcodes.com
thestewspot.net
cheic.online
jailbii.design
24hrcollective.com
concretecontractorsumrall.com
la-boutique-de-lily.com
simpleyields.app
flylabel.style
1wyfoj.top
chaoren025.com
theethicalcoachingcompany.co.uk
6kap6-98.com
landoverseashk.com
dubairentalcar.luxury
draanabellrojas.com
fi-fo.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/888-81-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/888-92-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/888-98-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1576-105-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1576-107-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1768 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
word.exejswyhdinmg.exejswyhdinmg.exepid process 1764 word.exe 880 jswyhdinmg.exe 888 jswyhdinmg.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEword.exejswyhdinmg.exepid process 1768 EQNEDT32.EXE 1764 word.exe 1764 word.exe 880 jswyhdinmg.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
jswyhdinmg.exejswyhdinmg.exerundll32.exedescription pid process target process PID 880 set thread context of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 888 set thread context of 1184 888 jswyhdinmg.exe Explorer.EXE PID 888 set thread context of 1184 888 jswyhdinmg.exe Explorer.EXE PID 1576 set thread context of 1184 1576 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1948 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
jswyhdinmg.exerundll32.exepid process 888 jswyhdinmg.exe 888 jswyhdinmg.exe 888 jswyhdinmg.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
jswyhdinmg.exejswyhdinmg.exerundll32.exepid process 880 jswyhdinmg.exe 888 jswyhdinmg.exe 888 jswyhdinmg.exe 888 jswyhdinmg.exe 888 jswyhdinmg.exe 1576 rundll32.exe 1576 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
jswyhdinmg.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 888 jswyhdinmg.exe Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeDebugPrivilege 1576 rundll32.exe Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1948 WINWORD.EXE 1948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEword.exejswyhdinmg.exejswyhdinmg.exerundll32.exeWINWORD.EXEdescription pid process target process PID 1768 wrote to memory of 1764 1768 EQNEDT32.EXE word.exe PID 1768 wrote to memory of 1764 1768 EQNEDT32.EXE word.exe PID 1768 wrote to memory of 1764 1768 EQNEDT32.EXE word.exe PID 1768 wrote to memory of 1764 1768 EQNEDT32.EXE word.exe PID 1764 wrote to memory of 880 1764 word.exe jswyhdinmg.exe PID 1764 wrote to memory of 880 1764 word.exe jswyhdinmg.exe PID 1764 wrote to memory of 880 1764 word.exe jswyhdinmg.exe PID 1764 wrote to memory of 880 1764 word.exe jswyhdinmg.exe PID 880 wrote to memory of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 880 wrote to memory of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 880 wrote to memory of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 880 wrote to memory of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 880 wrote to memory of 888 880 jswyhdinmg.exe jswyhdinmg.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 888 wrote to memory of 1576 888 jswyhdinmg.exe rundll32.exe PID 1576 wrote to memory of 1976 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1976 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1976 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1976 1576 rundll32.exe cmd.exe PID 1948 wrote to memory of 1660 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1660 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1660 1948 WINWORD.EXE splwow64.exe PID 1948 wrote to memory of 1660 1948 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1 payment cash Deposit.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe" C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
C:\Users\Admin\AppData\Local\Temp\potdzpp.yFilesize
205KB
MD557e7a6532f1ee86992e7b4fa6580cb19
SHA13d8ea00a0b9d9f167e0433afea928b68de50980f
SHA2567b96a34af9cd31c98ddc997366b3576174a392071ab344ac8f6a072d53c42547
SHA512e25a318bc187ff13f50a6bdafd7ced1a141297895600b750aaf52831c38aa229a9fc964fd5eaf8abee7fc803ac8d872d2a88883f07b7a4f4df8de7849c28aa25
-
C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivvFilesize
5KB
MD52756cf827356d936638f325fc53574a1
SHA11d05b474adb777cb85ecd0ad2f06ff9fca1ee2ab
SHA256efae399d371cd9d2132b7c4143469da0c72f4aa559dadfcd03011e4f06cec9e7
SHA512fb635c25243ea0bc0d74bce2e203ce7a12a7b5fad3e4603c1fde7dbe16415be12578d804f911d1d07cb80be6ee6230ee6848ab9130f9bfb8e784f05ec05a7ad6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5dad11ce5502474b0c20f992f902eba04
SHA19e178e150d1d369f72ac0c62f91f4f68f4e43e71
SHA2562738654bd848245dadbc2e83fe0801ed743e6f08c8706e5eb93ece37d1938a7c
SHA5124ad5125026226c4f04cfd4879a31bb045eb98780a3aeda7109b9793551d76912264637b2de356c4632b71188dc05faac5bd80efac1a47471b96608fa508ca910
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
286KB
MD578a95a8cb18e37d6565520be5e8013c4
SHA136557486465d9d133f2ea5aceaec9731f0663f91
SHA25685259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
SHA5127a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
286KB
MD578a95a8cb18e37d6565520be5e8013c4
SHA136557486465d9d133f2ea5aceaec9731f0663f91
SHA25685259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
SHA5127a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44
-
C:\Users\Admin\AppData\Roaming\word.exeFilesize
286KB
MD578a95a8cb18e37d6565520be5e8013c4
SHA136557486465d9d133f2ea5aceaec9731f0663f91
SHA25685259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
SHA5127a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44
-
\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
\Users\Admin\AppData\Local\Temp\jswyhdinmg.exeFilesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
\Users\Admin\AppData\Roaming\word.exeFilesize
286KB
MD578a95a8cb18e37d6565520be5e8013c4
SHA136557486465d9d133f2ea5aceaec9731f0663f91
SHA25685259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
SHA5127a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44
-
memory/880-77-0x00000000001D0000-0x00000000001D2000-memory.dmpFilesize
8KB
-
memory/888-92-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/888-96-0x0000000000380000-0x0000000000395000-memory.dmpFilesize
84KB
-
memory/888-91-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/888-81-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/888-93-0x0000000000340000-0x0000000000355000-memory.dmpFilesize
84KB
-
memory/888-98-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1184-115-0x00000000069F0000-0x0000000006AF1000-memory.dmpFilesize
1.0MB
-
memory/1184-86-0x00000000038D0000-0x00000000039D0000-memory.dmpFilesize
1024KB
-
memory/1184-94-0x0000000006340000-0x00000000064B3000-memory.dmpFilesize
1.4MB
-
memory/1184-118-0x00000000069F0000-0x0000000006AF1000-memory.dmpFilesize
1.0MB
-
memory/1184-97-0x0000000007730000-0x00000000078B8000-memory.dmpFilesize
1.5MB
-
memory/1184-116-0x00000000069F0000-0x0000000006AF1000-memory.dmpFilesize
1.0MB
-
memory/1576-102-0x00000000009B0000-0x00000000009BE000-memory.dmpFilesize
56KB
-
memory/1576-104-0x00000000009B0000-0x00000000009BE000-memory.dmpFilesize
56KB
-
memory/1576-107-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1576-110-0x0000000001DC0000-0x0000000001E54000-memory.dmpFilesize
592KB
-
memory/1576-106-0x0000000002090000-0x0000000002393000-memory.dmpFilesize
3.0MB
-
memory/1576-105-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1576-100-0x00000000009B0000-0x00000000009BE000-memory.dmpFilesize
56KB
-
memory/1948-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1948-138-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB