Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 04:39
Static task
static1
Behavioral task
behavioral1
Sample
3abfcd50698f63ec13889697874b0dfd.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3abfcd50698f63ec13889697874b0dfd.rtf
Resource
win10v2004-20230221-en
General
-
Target
3abfcd50698f63ec13889697874b0dfd.rtf
-
Size
23KB
-
MD5
3abfcd50698f63ec13889697874b0dfd
-
SHA1
10934d356d6bf22b54fea6249d80f749ad746c8a
-
SHA256
f287d933ff17b3591ddd689172c4d8964644bf3740ac8d9418365b3b97c51c2b
-
SHA512
e8cad2f9364852d1ef74437a99d2d77808a825504a804f6fe50733493459214d3613bcbe56defa04e2b1d18d3ec0ee10656c1f5c0a51ded6949923650867c441
-
SSDEEP
384:PL8yqfpijwB6fPIsKTT9gNUXDVfcwBbCvdHHWvhdCT7TuEUiVW0+T2J11ArdNWAn:j8yqfpiJnZKTT9gNQDVfcwBbqdH2vhdv
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-85-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1740-90-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1452-99-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1452-102-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 768 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
cleanmgr_.execleanmgr_.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe cleanmgr_.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe cleanmgr_.exe -
Executes dropped EXE 1 IoCs
Processes:
cleanmgr_.exepid process 984 cleanmgr_.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEcleanmgr_.execleanmgr_.exepid process 768 EQNEDT32.EXE 984 cleanmgr_.exe 1740 cleanmgr_.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
cleanmgr_.exepid process 1740 cleanmgr_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
cleanmgr_.execleanmgr_.exepid process 984 cleanmgr_.exe 1740 cleanmgr_.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cleanmgr_.execleanmgr_.exerundll32.exedescription pid process target process PID 984 set thread context of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 1740 set thread context of 1200 1740 cleanmgr_.exe Explorer.EXE PID 1452 set thread context of 1200 1452 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 10 IoCs
Processes:
resource yara_rule C:\Users\Public\cleanmgr_.exe nsis_installer_1 C:\Users\Public\cleanmgr_.exe nsis_installer_2 \Users\Public\cleanmgr_.exe nsis_installer_1 \Users\Public\cleanmgr_.exe nsis_installer_2 C:\Users\Public\cleanmgr_.exe nsis_installer_1 C:\Users\Public\cleanmgr_.exe nsis_installer_2 C:\Users\Public\cleanmgr_.exe nsis_installer_1 C:\Users\Public\cleanmgr_.exe nsis_installer_2 C:\Users\Public\cleanmgr_.exe nsis_installer_1 C:\Users\Public\cleanmgr_.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 704 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
cleanmgr_.exerundll32.exepid process 1740 cleanmgr_.exe 1740 cleanmgr_.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
cleanmgr_.execleanmgr_.exerundll32.exepid process 984 cleanmgr_.exe 1740 cleanmgr_.exe 1740 cleanmgr_.exe 1740 cleanmgr_.exe 1452 rundll32.exe 1452 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cleanmgr_.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1740 cleanmgr_.exe Token: SeDebugPrivilege 1452 rundll32.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 704 WINWORD.EXE 704 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 704 WINWORD.EXE 704 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEcleanmgr_.exeExplorer.EXErundll32.exedescription pid process target process PID 768 wrote to memory of 984 768 EQNEDT32.EXE cleanmgr_.exe PID 768 wrote to memory of 984 768 EQNEDT32.EXE cleanmgr_.exe PID 768 wrote to memory of 984 768 EQNEDT32.EXE cleanmgr_.exe PID 768 wrote to memory of 984 768 EQNEDT32.EXE cleanmgr_.exe PID 704 wrote to memory of 1900 704 WINWORD.EXE splwow64.exe PID 704 wrote to memory of 1900 704 WINWORD.EXE splwow64.exe PID 704 wrote to memory of 1900 704 WINWORD.EXE splwow64.exe PID 704 wrote to memory of 1900 704 WINWORD.EXE splwow64.exe PID 984 wrote to memory of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 984 wrote to memory of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 984 wrote to memory of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 984 wrote to memory of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 984 wrote to memory of 1740 984 cleanmgr_.exe cleanmgr_.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1200 wrote to memory of 1452 1200 Explorer.EXE rundll32.exe PID 1452 wrote to memory of 1732 1452 rundll32.exe cmd.exe PID 1452 wrote to memory of 1732 1452 rundll32.exe cmd.exe PID 1452 wrote to memory of 1732 1452 rundll32.exe cmd.exe PID 1452 wrote to memory of 1732 1452 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3abfcd50698f63ec13889697874b0dfd.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1900
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\cleanmgr_.exe"3⤵PID:1732
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Public\cleanmgr_.exe"C:\Users\Public\cleanmgr_.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Public\cleanmgr_.exe"C:\Users\Public\cleanmgr_.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD55cf8803e054fdae43a5f93c39315fa3e
SHA18ce71fe8de6a7bdcf486d66c3be2c1c848d94cb2
SHA256875246ef4080fc2ea79eba3809ae4c0158a7ffe296d90cfa4bcdf71211e45697
SHA512f07f487ad3df213e53b6b0a714c74c70d130583aa2adfa0a558a7407d921675ca87c046e9e6a37810cdfc419bd032ec04bd086c0c61e904e90f3f9dbfef19647
-
C:\Users\Public\cleanmgr_.exeFilesize
1.2MB
MD5e95742503cd258666b61c5dde8a9003a
SHA1cee3b32cbbcec87c7393a066012e6a2479867d4f
SHA256f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
SHA512d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd
-
C:\Users\Public\cleanmgr_.exeFilesize
1.2MB
MD5e95742503cd258666b61c5dde8a9003a
SHA1cee3b32cbbcec87c7393a066012e6a2479867d4f
SHA256f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
SHA512d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd
-
C:\Users\Public\cleanmgr_.exeFilesize
1.2MB
MD5e95742503cd258666b61c5dde8a9003a
SHA1cee3b32cbbcec87c7393a066012e6a2479867d4f
SHA256f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
SHA512d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd
-
C:\Users\Public\cleanmgr_.exeFilesize
1.2MB
MD5e95742503cd258666b61c5dde8a9003a
SHA1cee3b32cbbcec87c7393a066012e6a2479867d4f
SHA256f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
SHA512d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd
-
\Users\Admin\AppData\Local\Temp\nst8D82.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Users\Public\cleanmgr_.exeFilesize
1.2MB
MD5e95742503cd258666b61c5dde8a9003a
SHA1cee3b32cbbcec87c7393a066012e6a2479867d4f
SHA256f52f3c64c7e5729b929919c449f9087899823470d11335c5dad97f8c19ce2679
SHA512d2fad4e9bd20551bf89c15e86806a76f2dddb7702666b15fb64005effea01fcbe0087f3424c7f867e9ffa8021647e118f222595b43c039ce76fe9a33c7922fdd
-
memory/704-122-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/704-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1200-89-0x00000000068E0000-0x0000000006A8D000-memory.dmpFilesize
1.7MB
-
memory/1200-127-0x0000000003FF0000-0x00000000040A2000-memory.dmpFilesize
712KB
-
memory/1200-125-0x0000000003FF0000-0x00000000040A2000-memory.dmpFilesize
712KB
-
memory/1200-123-0x0000000003FF0000-0x00000000040A2000-memory.dmpFilesize
712KB
-
memory/1452-100-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1452-99-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1452-104-0x0000000000680000-0x0000000000713000-memory.dmpFilesize
588KB
-
memory/1452-92-0x0000000000670000-0x000000000067E000-memory.dmpFilesize
56KB
-
memory/1452-94-0x0000000000670000-0x000000000067E000-memory.dmpFilesize
56KB
-
memory/1452-102-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1452-98-0x0000000000670000-0x000000000067E000-memory.dmpFilesize
56KB
-
memory/1740-88-0x00000000000B0000-0x00000000000C4000-memory.dmpFilesize
80KB
-
memory/1740-87-0x0000000035D60000-0x0000000036063000-memory.dmpFilesize
3.0MB
-
memory/1740-93-0x0000000001470000-0x0000000005ADF000-memory.dmpFilesize
70.4MB
-
memory/1740-90-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1740-86-0x0000000001470000-0x0000000005ADF000-memory.dmpFilesize
70.4MB
-
memory/1740-85-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1740-83-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1740-82-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1740-81-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB