formbook | 94e3996206fdc70b2ed95a87672b3516eac8a41d25c2c3659ed7933399bfa287

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
27/06/2023, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INVOICENoKTSPHIAUDIOdocx.docx
Size

10KB
MD5

10fff05223ad6d1bb04774da72f1d815
SHA1

c85b33926aafd563649ae22c6506212591d36b0a
SHA256

94e3996206fdc70b2ed95a87672b3516eac8a41d25c2c3659ed7933399bfa287
SHA512

3fb1aa53fbb6920a6f4fbc33cc176e2842f3c3634319741183aaa6aaf5741cb960a352322b5d2263b877026b699764b4e214746c074f91a58b39820ed36acb17
SSDEEP

192:gya0NI0ZmW6ARgZVPCK44AG9xXSJ+Ej70JY6KwHKcpkWY8cWeZF:gyXI0ZmW6ANK4499xXSJf70JY6H1Y8eF

Score

10^/10

formbook m42i persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m42i

Decoy

kosporttraining.com

z19zgcn.site

kaka225.click

85471xii.net

iuplqle.xyz

bengtsberg.net

bk2y0rmx.site

hotspudqec.space

dreamshospital.com

studio-glinka.com

garotosdatv1.online

au-t-global.com

0kxm.com

medsuppanam.com

sameypaige.com

osstshirts.com

xkrujqqo.shop

hk2r.top

rakebacksites.com

ledxiu.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1388-157-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1388-164-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/828-175-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1816	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2044	agodidfd467651.exe
1388	agodidfd467651.exe

Loads dropped DLL 2 IoCs

pid	Process
1816	EQNEDT32.EXE
2044	agodidfd467651.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxhhdmmirr = "C:\\Users\\Admin\\AppData\\Roaming\\scllhqqyuuea\\ajss.exe \"C:\\Users\\Admin\\AppData\\Roaming\\agodidfd467651.exe\""	agodidfd467651.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1388	2044	agodidfd467651.exe	32
PID 1388 set thread context of 1272	1388	agodidfd467651.exe	13
PID 828 set thread context of 1272	828	cmstp.exe	13

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1816	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1752	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1388	agodidfd467651.exe
1388	agodidfd467651.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2044	agodidfd467651.exe
1388	agodidfd467651.exe
1388	agodidfd467651.exe
1388	agodidfd467651.exe
828	cmstp.exe
828	cmstp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	agodidfd467651.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	828	cmstp.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1752	WINWORD.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1752	WINWORD.EXE
1752	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2044	1816	EQNEDT32.EXE	31
PID 1816 wrote to memory of 2044	1816	EQNEDT32.EXE	31
PID 1816 wrote to memory of 2044	1816	EQNEDT32.EXE	31
PID 1816 wrote to memory of 2044	1816	EQNEDT32.EXE	31
PID 2044 wrote to memory of 1388	2044	agodidfd467651.exe	32
PID 2044 wrote to memory of 1388	2044	agodidfd467651.exe	32
PID 2044 wrote to memory of 1388	2044	agodidfd467651.exe	32
PID 2044 wrote to memory of 1388	2044	agodidfd467651.exe	32
PID 2044 wrote to memory of 1388	2044	agodidfd467651.exe	32
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 1272 wrote to memory of 828	1272	Explorer.EXE	35
PID 828 wrote to memory of 2040	828	cmstp.exe	37
PID 828 wrote to memory of 2040	828	cmstp.exe	37
PID 828 wrote to memory of 2040	828	cmstp.exe	37
PID 828 wrote to memory of 2040	828	cmstp.exe	37
PID 1752 wrote to memory of 1756	1752	WINWORD.EXE	39
PID 1752 wrote to memory of 1756	1752	WINWORD.EXE	39
PID 1752 wrote to memory of 1756	1752	WINWORD.EXE	39
PID 1752 wrote to memory of 1756	1752	WINWORD.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICENoKTSPHIAUDIOdocx.docx"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1756
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:980
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\agodidfd467651.exe"
    3⤵
    PID:2040

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\agodidfd467651.exe
  "C:\Users\Admin\AppData\Roaming\agodidfd467651.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Roaming\agodidfd467651.exe
    "C:\Users\Admin\AppData\Roaming\agodidfd467651.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5D1B7834-9E03-4DC0-9D61-9E66D15A7559}.FSD

Filesize
128KB

MD5
fa6cbf49baaa89ca557b3cfe5d8233bb

SHA1
7a52b04c6ec6757c75371747a8eb59fdcd66d8a9

SHA256
093195e65cafad1ecb0cee1dc5b55e91bdec5e97cf28a012f73e956fcfa54094

SHA512
de016b6ef2eff1827a864732a73637aa49466447f7e1562e7180a696a4849458b0364b1ec066349de683e828cf5b1098a342f3f04fbfcc480bd26fde6c6ccad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f5a2c5a4c5b366697a67da465d9438b9

SHA1
dee3705001d9681d8e2898135cdb281745fd2d95

SHA256
b43f8116a82b085cb32436b72cdb4a5489d2a522fc1ee62070a0fc82b537d803

SHA512
f0631959ebda519d093a1c9f9d00c3b0d44b7f3fa2333f811b7442f36cfae1c59ff65298335d39f11894073e48742e742b3780e7c682fba458773dee9b47ed25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{74075A5F-DE9D-464C-8C25-35C1FC570950}.FSD

Filesize
128KB

MD5
0d3e104274e8c081e3db2dceced24714

SHA1
01e450846dd7da78fbb95e846105ccd42846c549

SHA256
404ae35b4580c0cad06c8b6f2c84b15093d4c708f843ac5f61750d3c339361eb

SHA512
7c647b1c111439edaf7b27ca8d5a147f2ddd4278bbc27118e292e7856d9e1db5b75bad47a16ca6b192a1234a195bae8f9b9165e4e39a5a581a0b59bb6cd4300f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\134K02XQ\agodzx[1].doc

Filesize
40KB

MD5
2af4d7d7255cb2e719ade02f0c21a41c

SHA1
836f880b9b17ed529d7718b109b3251f5b98fe37

SHA256
dd625949ce3243dc01eaf5d1d270bef6d4f75a66995271553ea53ed8d3ba0a56

SHA512
6cf3093bdda1781690e3b018967802d4aa47446d7cab190fc455d9a3e2da777ca7a89582a9a8a5f57000df26afeef5f241705f37c73fe432f6c76dd84e0f972a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj2955.tmp\ecdkpffhq.dll

Filesize
7KB

MD5
245f124925a294fcf99e982ce5332143

SHA1
e6130629152aeb5becb37b67372c7cf436e543ae

SHA256
41b93d6be7b46e7d5b20ecfb2007ecba04349b0c1749252b29120b44107457b8

SHA512
dfbcbf7a1893492fe22a0fa730827cd6b5224bc00354717fa44fe776a03b080aea7ae165f2e32ea21900243b2894d770e96b448228199e97636a4f0c797a0ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01AF6A70-FDFD-4EC9-8172-F6A33EDD12F5}

Filesize
128KB

MD5
2b1047bba7f6f2a1b7412b84f12627d5

SHA1
f852770b7d075607c931b14ee5606022f08022df

SHA256
590997c1635488fd13d481dc4eced8ad24ef5419f18661ef7455d2538ba947e4

SHA512
b684882b6bcfb8ca8f7b4695c4bfb42e91d525cc034478cf988eb203e8df01e58c161e90cf0ed6e04f6da96996fbb2598200bdc3feed761dd9079e3306a2de53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
3e72f684c924ca0186101fb2ce68dd02

SHA1
6f4a9bf647c0dc63471a1ab2202f1d7b2f0495c5

SHA256
bab41604516c91090d760f7b17d6efa4a16619784d033389afd95422b48c7f33

SHA512
56cc59eb02f3792b37c0dcbe91cf1931da74f2a6c33ca88e6c7609deabc38c7f5a419e8ac899888737573517033047910cce971cac11ae3fea3f37a213a702f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\agodidfd467651.exe

Filesize
239KB

MD5
8001fc3355e347ebeb82daf3170e884e

SHA1
13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

SHA256
ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

SHA512
35629758ce4674e30139189970798283b3d8915d3e4bf360b21fa1cec86d62b2e0c0de0d3f3f6cd81d4fbb38e6fe54be2357e9d31bfaa0c22827a7ea304d7075

Download Submit
C:\Users\Admin\AppData\Roaming\agodidfd467651.exe

Filesize
239KB

MD5
8001fc3355e347ebeb82daf3170e884e

SHA1
13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

SHA256
ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

SHA512
35629758ce4674e30139189970798283b3d8915d3e4bf360b21fa1cec86d62b2e0c0de0d3f3f6cd81d4fbb38e6fe54be2357e9d31bfaa0c22827a7ea304d7075

Download Submit
C:\Users\Admin\AppData\Roaming\agodidfd467651.exe

Filesize
239KB

MD5
8001fc3355e347ebeb82daf3170e884e

SHA1
13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

SHA256
ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

SHA512
35629758ce4674e30139189970798283b3d8915d3e4bf360b21fa1cec86d62b2e0c0de0d3f3f6cd81d4fbb38e6fe54be2357e9d31bfaa0c22827a7ea304d7075

Download Submit
C:\Users\Admin\AppData\Roaming\agodidfd467651.exe

Filesize
239KB

MD5
8001fc3355e347ebeb82daf3170e884e

SHA1
13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

SHA256
ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

SHA512
35629758ce4674e30139189970798283b3d8915d3e4bf360b21fa1cec86d62b2e0c0de0d3f3f6cd81d4fbb38e6fe54be2357e9d31bfaa0c22827a7ea304d7075

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2955.tmp\ecdkpffhq.dll

Filesize
7KB

MD5
245f124925a294fcf99e982ce5332143

SHA1
e6130629152aeb5becb37b67372c7cf436e543ae

SHA256
41b93d6be7b46e7d5b20ecfb2007ecba04349b0c1749252b29120b44107457b8

SHA512
dfbcbf7a1893492fe22a0fa730827cd6b5224bc00354717fa44fe776a03b080aea7ae165f2e32ea21900243b2894d770e96b448228199e97636a4f0c797a0ec9

Download Submit
\Users\Admin\AppData\Roaming\agodidfd467651.exe

Filesize
239KB

MD5
8001fc3355e347ebeb82daf3170e884e

SHA1
13ca31e5a9af8e3200f0f7b4a75b6e87450bed1b

SHA256
ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

SHA512
35629758ce4674e30139189970798283b3d8915d3e4bf360b21fa1cec86d62b2e0c0de0d3f3f6cd81d4fbb38e6fe54be2357e9d31bfaa0c22827a7ea304d7075

Download Submit
memory/828-172-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download
memory/828-189-0x0000000000900000-0x0000000000994000-memory.dmp

Filesize
592KB

Download
memory/828-176-0x00000000022B0000-0x00000000025B3000-memory.dmp

Filesize
3.0MB

Download
memory/828-175-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/828-174-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download
memory/1272-162-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1272-166-0x0000000006B70000-0x0000000006D13000-memory.dmp

Filesize
1.6MB

Download
memory/1272-187-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1272-191-0x0000000007270000-0x0000000007355000-memory.dmp

Filesize
916KB

Download
memory/1272-192-0x0000000007270000-0x0000000007355000-memory.dmp

Filesize
916KB

Download
memory/1272-195-0x0000000007270000-0x0000000007355000-memory.dmp

Filesize
916KB

Download
memory/1388-165-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/1388-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-163-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1388-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1752-224-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-159-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download