formbook | 4fbd9aad2f65cd5e6f0c4df01566cfef74f9a6209d44ed0ba9e7cd8c04ff034f

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 2344(ES2309-015).xls
Size

1.1MB
MD5

a07fc73d08d1cf4779e3ea62998b7b9b
SHA1

9152263de49c761a5652c4a4daaaccf27af9bb80
SHA256

4fbd9aad2f65cd5e6f0c4df01566cfef74f9a6209d44ed0ba9e7cd8c04ff034f
SHA512

556e12c3cf9bf0df79b11090f265446275db92e758d69c73e44cf2358f5600c681235197964a801cb9c5baf152161470d9a1e47c9a15a64311bdc881484ad2c1
SSDEEP

24576:EWQmmav30xSZy6w6Va6N+yZyew6VC6N3qBR0lQ0TIB0T1qJ6H3Sw0D:ZQmmQ306+6V/tK6V3EYl7TBTe6HC3

Score

10^/10

formbook sy22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2540-28-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2540-33-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2540-39-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2796-45-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2796-47-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2640	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2516	TiWorker.exe
2544	wirybscjwh.exe
2540	wirybscjwh.exe

Loads dropped DLL 3 IoCs

pid	Process
2640	EQNEDT32.EXE
2516	TiWorker.exe
2544	wirybscjwh.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 2540	2544	wirybscjwh.exe	31
PID 2540 set thread context of 1180	2540	wirybscjwh.exe	6
PID 2540 set thread context of 1180	2540	wirybscjwh.exe	6
PID 2796 set thread context of 1180	2796	wlanext.exe	6

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2640	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2364	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2540	wirybscjwh.exe
2540	wirybscjwh.exe
2540	wirybscjwh.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe
2796	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2544	wirybscjwh.exe
2540	wirybscjwh.exe
2540	wirybscjwh.exe
2540	wirybscjwh.exe
2540	wirybscjwh.exe
2796	wlanext.exe
2796	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	wirybscjwh.exe
Token: SeDebugPrivilege	2796	wlanext.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2516	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2516	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2516	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2516	2640	EQNEDT32.EXE	29
PID 2516 wrote to memory of 2544	2516	TiWorker.exe	30
PID 2516 wrote to memory of 2544	2516	TiWorker.exe	30
PID 2516 wrote to memory of 2544	2516	TiWorker.exe	30
PID 2516 wrote to memory of 2544	2516	TiWorker.exe	30
PID 2544 wrote to memory of 2540	2544	wirybscjwh.exe	31
PID 2544 wrote to memory of 2540	2544	wirybscjwh.exe	31
PID 2544 wrote to memory of 2540	2544	wirybscjwh.exe	31
PID 2544 wrote to memory of 2540	2544	wirybscjwh.exe	31
PID 2544 wrote to memory of 2540	2544	wirybscjwh.exe	31
PID 1180 wrote to memory of 2796	1180	Explorer.EXE	33
PID 1180 wrote to memory of 2796	1180	Explorer.EXE	33
PID 1180 wrote to memory of 2796	1180	Explorer.EXE	33
PID 1180 wrote to memory of 2796	1180	Explorer.EXE	33
PID 2796 wrote to memory of 2888	2796	wlanext.exe	34
PID 2796 wrote to memory of 2888	2796	wlanext.exe	34
PID 2796 wrote to memory of 2888	2796	wlanext.exe	34
PID 2796 wrote to memory of 2888	2796	wlanext.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO 2344(ES2309-015).xls"
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe"
    3⤵
    PID:2888

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\TiWorker.exe
  "C:\Users\Admin\AppData\Roaming\TiWorker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe
    "C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe
      "C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jlcsz.t

Filesize
205KB

MD5
196fb7e1e9c8fdae48112489a24d4ad3

SHA1
335502082c0eb99668c515f04823baeef6fc6064

SHA256
bdc440c03c351c2e8a7e5115724a90292754eb7b533924aa02b22d2d37bb9fb6

SHA512
02cf78c6a1bdabeb654f00be67cf620a65a3e540a813112ff4e352ab5e8ae80545fc5939e9ab82f10b0da812601f911d1743504dfb264c6023f83e75847301d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe

Filesize
150KB

MD5
46b193d5f704cd1a0aadb11ee569797e

SHA1
7cd6f0a405361111a11935961a8e7d8e12c425c9

SHA256
c3bca399df18104cf411227ac1e92f422ed40ee71c43764d452a514c718fa2f4

SHA512
ad02f8412175103031ace01ed3fd2c6694c0e8d39ae45e10b067dd1cff3ee709a741613522eb208e32ea6cadb79ff55e22c68ed46673acfd66808e1141b61c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe

Filesize
150KB

MD5
46b193d5f704cd1a0aadb11ee569797e

SHA1
7cd6f0a405361111a11935961a8e7d8e12c425c9

SHA256
c3bca399df18104cf411227ac1e92f422ed40ee71c43764d452a514c718fa2f4

SHA512
ad02f8412175103031ace01ed3fd2c6694c0e8d39ae45e10b067dd1cff3ee709a741613522eb208e32ea6cadb79ff55e22c68ed46673acfd66808e1141b61c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe

Filesize
150KB

MD5
46b193d5f704cd1a0aadb11ee569797e

SHA1
7cd6f0a405361111a11935961a8e7d8e12c425c9

SHA256
c3bca399df18104cf411227ac1e92f422ed40ee71c43764d452a514c718fa2f4

SHA512
ad02f8412175103031ace01ed3fd2c6694c0e8d39ae45e10b067dd1cff3ee709a741613522eb208e32ea6cadb79ff55e22c68ed46673acfd66808e1141b61c6c

Download Submit
C:\Users\Admin\AppData\Roaming\TiWorker.exe

Filesize
298KB

MD5
b51f67297d5dd494ed1acecf85c989f8

SHA1
3b0bb6fab8077c13633b9cdab84a42d981fb59b5

SHA256
c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc

SHA512
14de097c176e7c7b8626f6a514d7969cde26009612517ef5dc25f85ad583d4093f0cddc80a7502f2471850461caffccbffa76228ed4fe8278b08f5fe2013f157

Download Submit
C:\Users\Admin\AppData\Roaming\TiWorker.exe

Filesize
298KB

MD5
b51f67297d5dd494ed1acecf85c989f8

SHA1
3b0bb6fab8077c13633b9cdab84a42d981fb59b5

SHA256
c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc

SHA512
14de097c176e7c7b8626f6a514d7969cde26009612517ef5dc25f85ad583d4093f0cddc80a7502f2471850461caffccbffa76228ed4fe8278b08f5fe2013f157

Download Submit
C:\Users\Admin\AppData\Roaming\TiWorker.exe

Filesize
298KB

MD5
b51f67297d5dd494ed1acecf85c989f8

SHA1
3b0bb6fab8077c13633b9cdab84a42d981fb59b5

SHA256
c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc

SHA512
14de097c176e7c7b8626f6a514d7969cde26009612517ef5dc25f85ad583d4093f0cddc80a7502f2471850461caffccbffa76228ed4fe8278b08f5fe2013f157

Download Submit
\Users\Admin\AppData\Local\Temp\wirybscjwh.exe

Filesize
150KB

MD5
46b193d5f704cd1a0aadb11ee569797e

SHA1
7cd6f0a405361111a11935961a8e7d8e12c425c9

SHA256
c3bca399df18104cf411227ac1e92f422ed40ee71c43764d452a514c718fa2f4

SHA512
ad02f8412175103031ace01ed3fd2c6694c0e8d39ae45e10b067dd1cff3ee709a741613522eb208e32ea6cadb79ff55e22c68ed46673acfd66808e1141b61c6c

Download Submit
\Users\Admin\AppData\Local\Temp\wirybscjwh.exe

Filesize
150KB

MD5
46b193d5f704cd1a0aadb11ee569797e

SHA1
7cd6f0a405361111a11935961a8e7d8e12c425c9

SHA256
c3bca399df18104cf411227ac1e92f422ed40ee71c43764d452a514c718fa2f4

SHA512
ad02f8412175103031ace01ed3fd2c6694c0e8d39ae45e10b067dd1cff3ee709a741613522eb208e32ea6cadb79ff55e22c68ed46673acfd66808e1141b61c6c

Download Submit
\Users\Admin\AppData\Roaming\TiWorker.exe

Filesize
298KB

MD5
b51f67297d5dd494ed1acecf85c989f8

SHA1
3b0bb6fab8077c13633b9cdab84a42d981fb59b5

SHA256
c121eae871db09a878d790146f551a88f652fa3c0b56627674dc5ba9f05e04bc

SHA512
14de097c176e7c7b8626f6a514d7969cde26009612517ef5dc25f85ad583d4093f0cddc80a7502f2471850461caffccbffa76228ed4fe8278b08f5fe2013f157

Download Submit
memory/1180-36-0x0000000004C70000-0x0000000004D7D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-53-0x0000000006F60000-0x000000000707E000-memory.dmp

Filesize
1.1MB

Download
memory/1180-55-0x0000000006F60000-0x000000000707E000-memory.dmp

Filesize
1.1MB

Download
memory/1180-42-0x0000000004E90000-0x0000000004F52000-memory.dmp

Filesize
776KB

Download
memory/1180-34-0x0000000000120000-0x0000000000220000-memory.dmp

Filesize
1024KB

Download
memory/1180-52-0x0000000006F60000-0x000000000707E000-memory.dmp

Filesize
1.1MB

Download
memory/2364-37-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2364-1-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2364-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2540-31-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/2540-40-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2540-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-35-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/2540-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-24-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2796-46-0x0000000001EE0000-0x00000000021E3000-memory.dmp

Filesize
3.0MB

Download
memory/2796-47-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2796-49-0x0000000001D50000-0x0000000001DE3000-memory.dmp

Filesize
588KB

Download
memory/2796-45-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2796-44-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/2796-43-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download