formbook | 91e84268a13b1d03dbf602c0ae560f7c883a6aff8ed7cef2f706f2197ab3caec

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice and Packing List.docx
Size

10KB
MD5

77366ba07edd55058c59d80acc56d2f8
SHA1

d9f2a22cb7e55bcc38967de8f1802934af77209b
SHA256

91e84268a13b1d03dbf602c0ae560f7c883a6aff8ed7cef2f706f2197ab3caec
SHA512

bf0590b2cc1d50866995ed27413c15f71adec7778078ff8037e4eb995038bedc9cbc7b0a4ff3ae3359a2bc74747265d43b448c458a7d9cf4037b94491ab9eccb
SSDEEP

192:ScIMmtPGT7G/bIwXOVOQTi55SEzBC4vNq6sM63j8p:SPXuT+xXOVOQWnhlqHjw

Score

10^/10

formbook ne28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ne28

Decoy

basic-careitem.net

healstockton.com

groupetalentapro.com

geseconevent.com

adornmentwithadrienne.com

lazylynx.se

forestwerx.com

labishu.com

hilykan.com

beyondyoursenses.co.uk

inno-imc.com

driverrehab.online

mantlepies.co.uk

sicepat.net

kiwitownkids.com

infiniumsource.com

motorsolutionswithmakro.co.uk

6pg.shop

zijlont.xyz

corpusskencar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1792-159-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1792-164-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1792-171-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1980-173-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1980-174-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 364 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	364	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221468051/x....xx.......doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1996 vbc.exe
1792 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

364 EQNEDT32.EXE
364 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1996	vbc.exe
1792	vbc.exe

pid	process
364	EQNEDT32.EXE
364	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.exe

description	pid	process	target process
PID 1996 set thread context of 1792	1996	vbc.exe	vbc.exe
PID 1792 set thread context of 1228	1792	vbc.exe	Explorer.EXE
PID 1792 set thread context of 1228	1792	vbc.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

364 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
364	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1760 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exevbc.exe

pid process

1996 vbc.exe
1996 vbc.exe
1792 vbc.exe
1792 vbc.exe
1792 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

vbc.exe

pid process

1792 vbc.exe
1792 vbc.exe
1792 vbc.exe
1792 vbc.exe

pid	process
1760	WINWORD.EXE

pid	process
1996	vbc.exe
1996	vbc.exe
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe

pid	process
1228	Explorer.EXE

pid	process
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vbc.exevbc.exeExplorer.EXEWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1996	vbc.exe
Token: SeDebugPrivilege	1792	vbc.exe
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeShutdownPrivilege	1760	WINWORD.EXE
Token: SeShutdownPrivilege	1228	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1760 WINWORD.EXE
1760 WINWORD.EXE

pid	process
1760	WINWORD.EXE
1760	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXE

description	pid	process	target process
PID 364 wrote to memory of 1996	364	EQNEDT32.EXE	vbc.exe
PID 364 wrote to memory of 1996	364	EQNEDT32.EXE	vbc.exe
PID 364 wrote to memory of 1996	364	EQNEDT32.EXE	vbc.exe
PID 364 wrote to memory of 1996	364	EQNEDT32.EXE	vbc.exe
PID 1760 wrote to memory of 1136	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1136	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1136	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1136	1760	WINWORD.EXE	splwow64.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1996 wrote to memory of 1792	1996	vbc.exe	vbc.exe
PID 1228 wrote to memory of 1980	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 1980	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 1980	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 1980	1228	Explorer.EXE	svchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice and Packing List.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1136

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Public\vbc.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
2081d0c8c3e508c5baab9320bc727dae

SHA1
32b914a03e287f0c7d450dd16dd320909653f1e1

SHA256
43e2521deb26b018d81bfd1087b970f53d8fbc55e84dd9e045fe1f50a2a0a727

SHA512
dce2451412e35e0ad7d7b7a4901c451ec00df3d04a569d53a411ec1f0f5478428de56947549884376be634e9efac9c3019dfd7c4922931ffadde1bfb4959572c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E3FF2FD9-3516-4086-87F2-1EDDE8E250BA}.FSD
Filesize
128KB

MD5
ea8872fa39f9969d6cdbc68f02647650

SHA1
65fd32057ea789f3186add3dc9e8f432e6e994c3

SHA256
429fd38aaf20c689e4bb21ef09d42e1a2e809d1f85339ffaa1ac473da7f50920

SHA512
cfc886dea6fbfcd390006b9518c0e6fe290b2b1ddf769d388ca0cc1c0cbde4286ac5511d3f2bbc26d66aebf3d4846a9b7ac4a7c2afb7721258e9cdf99df064fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\x....xx[1].doc
Filesize
27KB

MD5
e1ee12ca06b9c3b7649b9535749cf03b

SHA1
7fca1fb8462bd809dd83f10725358da08786214b

SHA256
ccbe33341a3bdff6ef98b11b040e78d1b583a47371fe432947e924c2dec9261c

SHA512
93ddee3864455e6fda1dbba5323f9b414d36d0ce5533d92fb6bfffd77ed47495d86403dfa80ce00643025378a0d1aa9ff61a1441e177e9f5b865316d43afdd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1AFB91F2-51FC-4B0E-B4C7-3DBD6D93D5E9}
Filesize
128KB

MD5
f8686097c48e25e002b0bde1d29f9b5b

SHA1
20f2b8ba9704257d7f142329a66d0eef6967a9d5

SHA256
442d808fb289095e721c6a25157b6d9f030ffb429d5e0e0a50933696bcdbf072

SHA512
e036451c2f3df3539debfbd69014e757c6df066778bb3f21c88200658fdcf8e0798b16aef1872e81a11e3b04fa339213369c2205d05cbbb3d52f769e578b3b44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
9f0cf77d4cddc32323fb45ba4d45a30a

SHA1
7d22ad0b29b14fe9e14a69ccaab4d4896d831107

SHA256
a841bc0afa1352fcf0a48a0b7d78923be3e835de6b0c9b5a0d473db860ffa03d

SHA512
124417fd8882784f47815cc619988722c7d3be312370d4bf8def801fb73c1af25fa371877bde01f021c58ac610c275fba303d3c664590329085e42476483cee3

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
ac91186f688620b6a391847170b294b6

SHA1
5d760935daa7ee7119e5f715c85c858648034d2a

SHA256
7d6fe07bc192157a1cf1f1988535d753c4df05ba19f9672bd46319f11d53a4ad

SHA512
b94592021dbf0e7697c58273da56646e128cfab67fdb8b9d206d6207d96e5e43e991807667a808e45975371350eda3fd53dbcb490c24d20cad2d9db751bef4fd

Download Submit
memory/1228-170-0x0000000004C10000-0x0000000004CF7000-memory.dmp

Filesize
924KB

Download
memory/1228-162-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/1228-232-0x000007FEACE80000-0x000007FEACE8A000-memory.dmp

Filesize
40KB

Download
memory/1228-223-0x000007FEACE80000-0x000007FEACE8A000-memory.dmp

Filesize
40KB

Download
memory/1228-214-0x0000000004D00000-0x0000000004DD2000-memory.dmp

Filesize
840KB

Download
memory/1228-166-0x0000000004B30000-0x0000000004C08000-memory.dmp

Filesize
864KB

Download
memory/1760-213-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1792-165-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/1792-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-163-0x0000000000C90000-0x0000000000F93000-memory.dmp

Filesize
3.0MB

Download
memory/1792-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-158-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-169-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/1792-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-174-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1980-172-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/1980-173-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1996-146-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1996-144-0x00000000009E0000-0x0000000000AF8000-memory.dmp

Filesize
1.1MB

Download
memory/1996-145-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/1996-155-0x0000000000B00000-0x0000000000B34000-memory.dmp

Filesize
208KB

Download
memory/1996-154-0x0000000005180000-0x0000000005208000-memory.dmp

Filesize
544KB

Download
memory/1996-153-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download