formbook | d76cc47a412eb217e437f4292b240e3858d35a927048e6240b815eaea2aa1b79

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UBIN0231541484.docx
Size

14KB
MD5

68ec0315e8c7d6a99bc11d1c3165f1ea
SHA1

8fb882147e3c5b3ff413b022358916492c071855
SHA256

d76cc47a412eb217e437f4292b240e3858d35a927048e6240b815eaea2aa1b79
SHA512

6127459e215b67939e95eb6796ecd14579b4158269b1ff09b68d2aff7f324fa0ac9f6b9889b614d13fc2c675ebea115f4c31e25e77ad3989ab62b93a0ef08bc1
SSDEEP

192:4fiPeafL1ef4sfFONVJ0spH3RfuAfD7ZtNYg3dx5BO8Qk5i9AE/y7faVj1qqfLf3:SU1wYZ//368Qk50a+FJ3W7mn/

Score

10^/10

formbook guloader gtt8 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtt8

Decoy

42taijijian.com

rehnimiyanales.com

cst247.shop

usdt09.tech

lennartjahn.com

aaabestcbd.com

marketing-digital-france-2.xyz

be4time.com

slotyfly.com

parimaladragonflywellness.life

phonereda.com

01076.win

thehoundlounge.info

high-vent.co.uk

14thfeb.com

onlyforks.info

joseeandtim.com

mylegoclub.com

iuser-findmy.info

uninassaupolopinheiro.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/968-330-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/968-337-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/968-345-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/1904-348-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1904-349-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

17 1612 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location

flow	pid	process
17	1612	EQNEDT32.EXE

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

clean_registry.execlean_registry.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	clean_registry.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	clean_registry.exe

Executes dropped EXE 1 IoCs

Processes:

clean_registry.exe

pid process

976 clean_registry.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEclean_registry.execlean_registry.exe

pid process

1612 EQNEDT32.EXE
976 clean_registry.exe
976 clean_registry.exe
968 clean_registry.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

clean_registry.exe

pid process

968 clean_registry.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

clean_registry.execlean_registry.exe

pid process

976 clean_registry.exe
968 clean_registry.exe

pid	process
976	clean_registry.exe

pid	process
1612	EQNEDT32.EXE
976	clean_registry.exe
976	clean_registry.exe
968	clean_registry.exe

pid	process
976	clean_registry.exe
968	clean_registry.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

clean_registry.execlean_registry.execmmon32.exe

description	pid	process	target process
PID 976 set thread context of 968	976	clean_registry.exe	clean_registry.exe
PID 968 set thread context of 1280	968	clean_registry.exe	Explorer.EXE
PID 968 set thread context of 1280	968	clean_registry.exe	Explorer.EXE
PID 1904 set thread context of 1280	1904	cmmon32.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Public\clean_registry.exe	nsis_installer_1
C:\Users\Public\clean_registry.exe	nsis_installer_2
\Users\Public\clean_registry.exe	nsis_installer_1
\Users\Public\clean_registry.exe	nsis_installer_2
C:\Users\Public\clean_registry.exe	nsis_installer_1
C:\Users\Public\clean_registry.exe	nsis_installer_2
C:\Users\Public\clean_registry.exe	nsis_installer_1
C:\Users\Public\clean_registry.exe	nsis_installer_2
\Users\Public\clean_registry.exe	nsis_installer_1
\Users\Public\clean_registry.exe	nsis_installer_2
C:\Users\Public\clean_registry.exe	nsis_installer_1
C:\Users\Public\clean_registry.exe	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1612 EQNEDT32.EXE

pid	process
1612	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

928 WINWORD.EXE

pid	process
928	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

clean_registry.execmmon32.exe

pid	process
968	clean_registry.exe
968	clean_registry.exe
968	clean_registry.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe
1904	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

clean_registry.execlean_registry.execmmon32.exe

pid process

976 clean_registry.exe
968 clean_registry.exe
968 clean_registry.exe
968 clean_registry.exe
968 clean_registry.exe
1904 cmmon32.exe
1904 cmmon32.exe

pid	process
1280	Explorer.EXE

pid	process
976	clean_registry.exe
968	clean_registry.exe
968	clean_registry.exe
968	clean_registry.exe
968	clean_registry.exe
1904	cmmon32.exe
1904	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

clean_registry.exeExplorer.EXEcmmon32.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	968	clean_registry.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1904	cmmon32.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	928	WINWORD.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

928 WINWORD.EXE
928 WINWORD.EXE

pid	process
928	WINWORD.EXE
928	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEclean_registry.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 1612 wrote to memory of 976	1612	EQNEDT32.EXE	clean_registry.exe
PID 928 wrote to memory of 1364	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 1364	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 1364	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 1364	928	WINWORD.EXE	splwow64.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 976 wrote to memory of 968	976	clean_registry.exe	clean_registry.exe
PID 1280 wrote to memory of 1904	1280	Explorer.EXE	cmmon32.exe
PID 1280 wrote to memory of 1904	1280	Explorer.EXE	cmmon32.exe
PID 1280 wrote to memory of 1904	1280	Explorer.EXE	cmmon32.exe
PID 1280 wrote to memory of 1904	1280	Explorer.EXE	cmmon32.exe
PID 1904 wrote to memory of 1752	1904	cmmon32.exe	cmd.exe
PID 1904 wrote to memory of 1752	1904	cmmon32.exe	cmd.exe
PID 1904 wrote to memory of 1752	1904	cmmon32.exe	cmd.exe
PID 1904 wrote to memory of 1752	1904	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\UBIN0231541484.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1364

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\clean_registry.exe"
3⤵
PID:1752

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Public\clean_registry.exe
"C:\Users\Public\clean_registry.exe"
2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Public\clean_registry.exe
"C:\Users\Public\clean_registry.exe"
3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
feacd0cec0013453f4656e845213f9ea

SHA1
c5d680aba3b93aac7faa184557ca6a841deac9b9

SHA256
6ab550cf107301b8e0b828b164325e00a56793e655ef19caa89d1385dfadad79

SHA512
549a8ee32a2d2d6b51f9fb57a2d45c89be0a847785ae2a752fd110103325daf88395edc90b09dbdcc179f62ed94ac22d2c68d9cfc2f14e4fbe1dc8c681f1c4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{01309B31-BA04-41FA-8A19-D26181403434}.FSD
Filesize
128KB

MD5
3a3a35d7fc3c232dca79739d5a864bf6

SHA1
594f03985d2d8fa234ce551922ea3eeef7585025

SHA256
73c996f08c6188a3fb83c3ad198677963ceb86ecb3d317bcf0f665a0edfc66f9

SHA512
1e86765e96f1b1200699dbb10b0e9be7477f9cbb1c1f2b3960e9a92724bbe6b78dab31e3684b9d4502e21ecd546bd5980d541909795a336cdb57343882bbed92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
d8e6a27fbba2fe8179ba5bf2e8c84f6d

SHA1
d75b6869ab81c9226e0e08d378ef29380ee59128

SHA256
1a0236488c59dbb008a0b2cc69216f0d53332d15b95626fb64e25c6bc9d6f58b

SHA512
87064052289c5093476a790f60abec2b7e33143a35b1120d299e6ff67900b22d4d06c610b9b173fe850ce8e39270f273b7e8dd84c8b86ac7435bfb7a78d1be90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F0F4F581-3C31-4046-84BE-53BF3AF975DB}.FSD
Filesize
128KB

MD5
71092882816d528b636c51e9742005ec

SHA1
5f193a26bcf9962b6fe05a39bad597711212364b

SHA256
17bbcfb82de03c1286ea08d51f8682a33547a17005d2986cfccb957037d4fe16

SHA512
00740441f4ac6e7541bd29ba41dcfe6e915ba11a7a8d13599b215b51b558993f2790a9396594d6e5ae0b80c3d9503fd969ccc4a9e0ea4eca05aa56ee07fba2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\rsrsrsrsrsrrsrsrsrsrsrsrssrsrsr############################rsrsrsrsrsrsrsrsrsrs[1].doc
Filesize
22KB

MD5
39669a47b553f5d6b3ed6b730d7852f9

SHA1
74b365ae0dc316eee5de6df5911019cabe512efb

SHA256
8e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d

SHA512
1efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDE89E9C.dat
Filesize
1KB

MD5
a19e3005f2cf4408c6a0ef18419fd9cf

SHA1
2b2fe21480eae6c5bbc3bdc736e1186815fecffc

SHA256
01188acaff9047e8b0e6293aa34350f74b8b27f425323323b3ebd16e0284a26e

SHA512
f2c3dcc37e1868612cf73c976385c00d11c0b52db3846ab8a19d2fdf9cc0a0ec9e704da7607bb56076de7c57743f581d4ba56924994a89e692d20fe16b7ee7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4493.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4620.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0BB0D673-A534-4FF1-9171-23FC228CE535}
Filesize
128KB

MD5
861992f57679b0842d2134287d70a37a

SHA1
709abada64907c6c4de237b7a9dcc3ec5a8de352

SHA256
266bc5bc0aa2e31afbf0a453d67b68910dfa97dc4de4e8539ba06d7769196318

SHA512
0cf6ef53b75287927119d6eb32c334f0feebcace11807a8b118157e5b8f554f165aed5a34c7734ba4210d851cb3949ecba8135961f3ad9e830757f2730566744

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
48c29f59b10032b21504b4ee65a9f864

SHA1
1474498d6c8ba79ff7a806464f8d072a28524356

SHA256
c2a33e58d8596e826f6ed395bd0dcde0706c842cb7e0915a5a0318da8875d7d6

SHA512
27e4702912089e7517d21dd4dae361ffad8d921b68f94d2f003ef3b60222a5ec000b0928e66a7d42af317e5ff016fef6c85699022b7e6d9f8da9c7ec2a18d51a

Download Submit
C:\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
C:\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
C:\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
C:\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
\Users\Admin\AppData\Local\Temp\nst6460.tmp\System.dll
Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
\Users\Public\clean_registry.exe
Filesize
285KB

MD5
a413d04a39c86bd0b4ca116227d20a30

SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf

SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318

Download Submit
memory/928-378-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/968-329-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-328-0x0000000001470000-0x00000000043A8000-memory.dmp

Filesize
47.2MB

Download
memory/968-327-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-330-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-331-0x0000000001470000-0x00000000043A8000-memory.dmp

Filesize
47.2MB

Download
memory/968-332-0x00000000345F0000-0x00000000348F3000-memory.dmp

Filesize
3.0MB

Download
memory/968-345-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-334-0x0000000001470000-0x00000000043A8000-memory.dmp

Filesize
47.2MB

Download
memory/968-335-0x0000000034460000-0x0000000034474000-memory.dmp

Filesize
80KB

Download
memory/968-342-0x0000000001470000-0x00000000043A8000-memory.dmp

Filesize
47.2MB

Download
memory/968-337-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-340-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/976-324-0x0000000002FD0000-0x0000000005F08000-memory.dmp

Filesize
47.2MB

Download
memory/976-308-0x0000000002FD0000-0x0000000005F08000-memory.dmp

Filesize
47.2MB

Download
memory/1280-341-0x0000000007220000-0x00000000073AD000-memory.dmp

Filesize
1.6MB

Download
memory/1280-336-0x0000000006B70000-0x0000000006CB0000-memory.dmp

Filesize
1.2MB

Download
memory/1280-385-0x00000000074F0000-0x000000000767D000-memory.dmp

Filesize
1.6MB

Download
memory/1280-333-0x0000000000340000-0x0000000000440000-memory.dmp

Filesize
1024KB

Download
memory/1280-383-0x00000000074F0000-0x000000000767D000-memory.dmp

Filesize
1.6MB

Download
memory/1280-381-0x00000000074F0000-0x000000000767D000-memory.dmp

Filesize
1.6MB

Download
memory/1904-343-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download
memory/1904-352-0x0000000000570000-0x0000000000603000-memory.dmp

Filesize
588KB

Download
memory/1904-349-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1904-348-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1904-347-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/1904-344-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download