Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 07:30
Static task
static1
Behavioral task
behavioral1
Sample
30% Payment Receipt.rtf
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
30% Payment Receipt.rtf
Resource
win10v2004-20230621-en
General
-
Target
30% Payment Receipt.rtf
-
Size
42KB
-
MD5
d4bc695be1f64cb89c061b21b06815a2
-
SHA1
4056cdfa99fe137e1324be62763aee23d1990eb7
-
SHA256
ad167c04c640a9777e7b6bb420e64b5cc46a0fd588820f6895420991465944a0
-
SHA512
1ddb705be7d901acd7f9889bdfb4491ce4c5a9619884f083c79ac4046285d786e54ce6aabcf4eacbf6fc522804c27b8cc88f20b5077ef249d0f9c93390806221
-
SSDEEP
768:rFx0XaIsnPRIa4fwJMo30VYWEfOH/cNUWTL4QUATxZA9fSP3/Uz+o4KSAIR:rf0Xvx3EMo32YWEfrkVAV//Uz+o46IR
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-81-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1604-87-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1640-95-0x0000000000120000-0x000000000014F000-memory.dmp formbook behavioral1/memory/1640-97-0x0000000000120000-0x000000000014F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 628 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
pablodfd4676529.exepablodfd4676529.exepid process 1648 pablodfd4676529.exe 1604 pablodfd4676529.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 628 EQNEDT32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
pablodfd4676529.exepablodfd4676529.exechkdsk.exedescription pid process target process PID 1648 set thread context of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1604 set thread context of 1252 1604 pablodfd4676529.exe Explorer.EXE PID 1640 set thread context of 1252 1640 chkdsk.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1144 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
pablodfd4676529.exepowershell.exechkdsk.exepid process 1604 pablodfd4676529.exe 1604 pablodfd4676529.exe 884 powershell.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe 1640 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
pablodfd4676529.exechkdsk.exepid process 1604 pablodfd4676529.exe 1604 pablodfd4676529.exe 1604 pablodfd4676529.exe 1640 chkdsk.exe 1640 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
pablodfd4676529.exepowershell.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1604 pablodfd4676529.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1640 chkdsk.exe Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1144 WINWORD.EXE 1144 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEpablodfd4676529.exeExplorer.EXEchkdsk.exedescription pid process target process PID 628 wrote to memory of 1648 628 EQNEDT32.EXE pablodfd4676529.exe PID 628 wrote to memory of 1648 628 EQNEDT32.EXE pablodfd4676529.exe PID 628 wrote to memory of 1648 628 EQNEDT32.EXE pablodfd4676529.exe PID 628 wrote to memory of 1648 628 EQNEDT32.EXE pablodfd4676529.exe PID 1144 wrote to memory of 1712 1144 WINWORD.EXE splwow64.exe PID 1144 wrote to memory of 1712 1144 WINWORD.EXE splwow64.exe PID 1144 wrote to memory of 1712 1144 WINWORD.EXE splwow64.exe PID 1144 wrote to memory of 1712 1144 WINWORD.EXE splwow64.exe PID 1648 wrote to memory of 884 1648 pablodfd4676529.exe powershell.exe PID 1648 wrote to memory of 884 1648 pablodfd4676529.exe powershell.exe PID 1648 wrote to memory of 884 1648 pablodfd4676529.exe powershell.exe PID 1648 wrote to memory of 884 1648 pablodfd4676529.exe powershell.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1648 wrote to memory of 1604 1648 pablodfd4676529.exe pablodfd4676529.exe PID 1252 wrote to memory of 1640 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1640 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1640 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1640 1252 Explorer.EXE chkdsk.exe PID 1640 wrote to memory of 604 1640 chkdsk.exe cmd.exe PID 1640 wrote to memory of 604 1640 chkdsk.exe cmd.exe PID 1640 wrote to memory of 604 1640 chkdsk.exe cmd.exe PID 1640 wrote to memory of 604 1640 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30% Payment Receipt.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"C:\Users\Admin\AppData\Roaming\pablodfd4676529.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5090dffb43da1628858a0fdea440a87e9
SHA14e87d49ec2cfeacb3d24e78afb2f60f2e2b01e8d
SHA2562044c1842d9f406ccf410960098c0cc0a8f57341cc7a66176f21790787c29df5
SHA5120dff2caf8eb39718959bd17c75b418c8da3817b00fe143c09a6c627016a65bd0ad85de865b686f25377892f7c9df2515f150e6e104d311f15f45770198fdfa67
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exeFilesize
662KB
MD540df500e4caa9265ef6bea269c34140d
SHA1db34bb2e6dc20b945443faa9f5c5607a66638735
SHA2569e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA512d51a238be322f12673fa76be731a123a2d0ca5c398a285e91a7a5bed231f4f1d5ca27e3ee0d4bd83502a064dec537a56fe9ed3f578c1e2e1595df8b7f2c7a347
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exeFilesize
662KB
MD540df500e4caa9265ef6bea269c34140d
SHA1db34bb2e6dc20b945443faa9f5c5607a66638735
SHA2569e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA512d51a238be322f12673fa76be731a123a2d0ca5c398a285e91a7a5bed231f4f1d5ca27e3ee0d4bd83502a064dec537a56fe9ed3f578c1e2e1595df8b7f2c7a347
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exeFilesize
662KB
MD540df500e4caa9265ef6bea269c34140d
SHA1db34bb2e6dc20b945443faa9f5c5607a66638735
SHA2569e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA512d51a238be322f12673fa76be731a123a2d0ca5c398a285e91a7a5bed231f4f1d5ca27e3ee0d4bd83502a064dec537a56fe9ed3f578c1e2e1595df8b7f2c7a347
-
C:\Users\Admin\AppData\Roaming\pablodfd4676529.exeFilesize
662KB
MD540df500e4caa9265ef6bea269c34140d
SHA1db34bb2e6dc20b945443faa9f5c5607a66638735
SHA2569e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA512d51a238be322f12673fa76be731a123a2d0ca5c398a285e91a7a5bed231f4f1d5ca27e3ee0d4bd83502a064dec537a56fe9ed3f578c1e2e1595df8b7f2c7a347
-
\Users\Admin\AppData\Roaming\pablodfd4676529.exeFilesize
662KB
MD540df500e4caa9265ef6bea269c34140d
SHA1db34bb2e6dc20b945443faa9f5c5607a66638735
SHA2569e4d05b5c07d77f2bf1fd7a22c59b4932f096ad1e140a536a025b5c325683073
SHA512d51a238be322f12673fa76be731a123a2d0ca5c398a285e91a7a5bed231f4f1d5ca27e3ee0d4bd83502a064dec537a56fe9ed3f578c1e2e1595df8b7f2c7a347
-
memory/884-92-0x0000000002370000-0x00000000023B0000-memory.dmpFilesize
256KB
-
memory/884-90-0x0000000002370000-0x00000000023B0000-memory.dmpFilesize
256KB
-
memory/884-88-0x0000000002370000-0x00000000023B0000-memory.dmpFilesize
256KB
-
memory/1144-127-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1144-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1252-101-0x0000000006E00000-0x0000000006EC4000-memory.dmpFilesize
784KB
-
memory/1252-102-0x0000000006E00000-0x0000000006EC4000-memory.dmpFilesize
784KB
-
memory/1252-105-0x0000000006E00000-0x0000000006EC4000-memory.dmpFilesize
784KB
-
memory/1252-91-0x0000000006AA0000-0x0000000006BB5000-memory.dmpFilesize
1.1MB
-
memory/1604-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1604-79-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1604-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1604-81-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1604-86-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1604-87-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1604-89-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1640-94-0x00000000000C0000-0x00000000000C7000-memory.dmpFilesize
28KB
-
memory/1640-93-0x00000000000C0000-0x00000000000C7000-memory.dmpFilesize
28KB
-
memory/1640-96-0x0000000001EE0000-0x00000000021E3000-memory.dmpFilesize
3.0MB
-
memory/1640-95-0x0000000000120000-0x000000000014F000-memory.dmpFilesize
188KB
-
memory/1640-97-0x0000000000120000-0x000000000014F000-memory.dmpFilesize
188KB
-
memory/1640-100-0x0000000001DE0000-0x0000000001E73000-memory.dmpFilesize
588KB
-
memory/1648-77-0x0000000007E60000-0x0000000007ECE000-memory.dmpFilesize
440KB
-
memory/1648-76-0x00000000004B0000-0x00000000004BC000-memory.dmpFilesize
48KB
-
memory/1648-74-0x00000000042B0000-0x00000000042F0000-memory.dmpFilesize
256KB
-
memory/1648-73-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/1648-72-0x00000000042B0000-0x00000000042F0000-memory.dmpFilesize
256KB
-
memory/1648-67-0x0000000000030000-0x00000000000DC000-memory.dmpFilesize
688KB