formbook | 127e769d7c6587fed646fe52712032fcd483df248fa23c81614bbccf3a534279

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
17-11-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad208fe787c74f455a317a5050c3462c8236ed6e3c58f9c6082147ca09902335.xlsx
Size

1.9MB
MD5

22ca610098805557434a4b2810329689
SHA1

23cf1f231d4b1a53416c3f72accbe8e21b4b1fc3
SHA256

ad208fe787c74f455a317a5050c3462c8236ed6e3c58f9c6082147ca09902335
SHA512

a333f8b243c5482302857834f185d934dc6f149b587e40ae41fc30e61936f0fb4c55d0c543f590dcf714fc688abfb018655c86c1e2c10d8ead393ec66b06e910
SSDEEP

49152:0kVgTbHTs6oLbLvnlfRzlPlJfhQKyd2jgC0c+QXjI2yD:2TzTdoLbLvFRzljJed21+yjIB

Score

10^/10

formbook tb8i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tb8i

Decoy

097jz.com

physium.net

sherwoodsubnet.com

scbaya.fun

us2048.top

danlclmn.com

starsyx.com

foxbox-digi.store

thefishermanhouse.com

salvanandcie.com

rykuruh.cfd

gelaoguan.net

petar-gojun.com

coandcompanyboutique.com

decentralizedcryptos.com

ecuajet.net

livbythebeach.com

cleaning-services-33235.bond

free-webbuilder.today

pussypower.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2908-40-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2908-44-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1076-53-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1076-55-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2796	EQNEDT32.EXE
6	2796	EQNEDT32.EXE
8	2796	EQNEDT32.EXE
10	2796	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2700	word.exe
2116	cegsxx.exe
2908	cegsxx.exe

Loads dropped DLL 4 IoCs

pid	Process
2796	EQNEDT32.EXE
2700	word.exe
2700	word.exe
2116	cegsxx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2908	2116	cegsxx.exe	33
PID 2908 set thread context of 1260	2908	cegsxx.exe	16
PID 1076 set thread context of 1260	1076	wuapp.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015cb0-22.dat	nsis_installer_1
behavioral1/files/0x0007000000015cb0-22.dat	nsis_installer_2
behavioral1/files/0x0007000000015cb0-23.dat	nsis_installer_1
behavioral1/files/0x0007000000015cb0-23.dat	nsis_installer_2
behavioral1/files/0x0007000000015cb0-25.dat	nsis_installer_1
behavioral1/files/0x0007000000015cb0-25.dat	nsis_installer_2
behavioral1/files/0x0007000000015cb0-26.dat	nsis_installer_1
behavioral1/files/0x0007000000015cb0-26.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2796	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2660	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2908	cegsxx.exe
2908	cegsxx.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe
1076	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2116	cegsxx.exe
2908	cegsxx.exe
2908	cegsxx.exe
2908	cegsxx.exe
1076	wuapp.exe
1076	wuapp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	cegsxx.exe
Token: SeDebugPrivilege	1076	wuapp.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2660	EXCEL.EXE
2660	EXCEL.EXE
2660	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2700	2796	EQNEDT32.EXE	31
PID 2796 wrote to memory of 2700	2796	EQNEDT32.EXE	31
PID 2796 wrote to memory of 2700	2796	EQNEDT32.EXE	31
PID 2796 wrote to memory of 2700	2796	EQNEDT32.EXE	31
PID 2700 wrote to memory of 2116	2700	word.exe	32
PID 2700 wrote to memory of 2116	2700	word.exe	32
PID 2700 wrote to memory of 2116	2700	word.exe	32
PID 2700 wrote to memory of 2116	2700	word.exe	32
PID 2116 wrote to memory of 2908	2116	cegsxx.exe	33
PID 2116 wrote to memory of 2908	2116	cegsxx.exe	33
PID 2116 wrote to memory of 2908	2116	cegsxx.exe	33
PID 2116 wrote to memory of 2908	2116	cegsxx.exe	33
PID 2116 wrote to memory of 2908	2116	cegsxx.exe	33
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1260 wrote to memory of 1076	1260	Explorer.EXE	34
PID 1076 wrote to memory of 2160	1076	wuapp.exe	36
PID 1076 wrote to memory of 2160	1076	wuapp.exe	36
PID 1076 wrote to memory of 2160	1076	wuapp.exe	36
PID 1076 wrote to memory of 2160	1076	wuapp.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ad208fe787c74f455a317a5050c3462c8236ed6e3c58f9c6082147ca09902335.xlsx
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2660
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\cegsxx.exe"
    3⤵
    PID:2160

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\cegsxx.exe
    "C:\Users\Admin\AppData\Local\Temp\cegsxx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\cegsxx.exe
      "C:\Users\Admin\AppData\Local\Temp\cegsxx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zardzr.n

Filesize
205KB

MD5
94c1de70f3399bfbb9a75c90f80cb147

SHA1
058d4d73ba9a02ba877be7664f159c3be08a4331

SHA256
1db2947c6a53bb241df0b2d3fe158a3ec6fd418f8cd77b6041b8c77e520248d3

SHA512
9bde301e2a4d0b06a9efe7c3e87a34f094de17ea871e4025a3b2c1e8d3221884afa3dfb917578eb66bf074b34d29d5cec9c7da099dd65986ab7e18009758f2e2

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
332KB

MD5
5b691330acaa3c5432b9caadbeb82003

SHA1
7084d84dcc45be8161bc3c044c02d02f05d46b95

SHA256
860b90ba1c36e237b2aca9e77024d953e5aa3b9d4a736130d355da6c76cf0930

SHA512
dd8fb100e9d3b3d7404265c400ff1d055fc31d07f6359cfe95902045f9f48e3ca348ccce3071bc00bcca7f39a1073df45ea79381b81d697aafe6ff2ea7c765c4

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
332KB

MD5
5b691330acaa3c5432b9caadbeb82003

SHA1
7084d84dcc45be8161bc3c044c02d02f05d46b95

SHA256
860b90ba1c36e237b2aca9e77024d953e5aa3b9d4a736130d355da6c76cf0930

SHA512
dd8fb100e9d3b3d7404265c400ff1d055fc31d07f6359cfe95902045f9f48e3ca348ccce3071bc00bcca7f39a1073df45ea79381b81d697aafe6ff2ea7c765c4

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
332KB

MD5
5b691330acaa3c5432b9caadbeb82003

SHA1
7084d84dcc45be8161bc3c044c02d02f05d46b95

SHA256
860b90ba1c36e237b2aca9e77024d953e5aa3b9d4a736130d355da6c76cf0930

SHA512
dd8fb100e9d3b3d7404265c400ff1d055fc31d07f6359cfe95902045f9f48e3ca348ccce3071bc00bcca7f39a1073df45ea79381b81d697aafe6ff2ea7c765c4

Download Submit
\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
\Users\Admin\AppData\Local\Temp\cegsxx.exe

Filesize
176KB

MD5
0a1743cf9e74100a9fd023acf3f36e49

SHA1
4a7d1c28ccb0ae96ed074466ad1bdd22a2d36457

SHA256
5491e80a096d5f370f010e69d9aba77eb3ab49f8a259dea544106a7f4f7aad74

SHA512
9b4ce1bddbb32ce7fa4916cd6d7616fc9016234e4a6cfe7ddb97ffb42f5da8000dbdf5c709e0046036d72ae481c10268504243a8b09582d80845b10868aafea4

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
332KB

MD5
5b691330acaa3c5432b9caadbeb82003

SHA1
7084d84dcc45be8161bc3c044c02d02f05d46b95

SHA256
860b90ba1c36e237b2aca9e77024d953e5aa3b9d4a736130d355da6c76cf0930

SHA512
dd8fb100e9d3b3d7404265c400ff1d055fc31d07f6359cfe95902045f9f48e3ca348ccce3071bc00bcca7f39a1073df45ea79381b81d697aafe6ff2ea7c765c4

Download Submit
memory/1076-49-0x0000000001360000-0x000000000136B000-memory.dmp

Filesize
44KB

Download
memory/1076-50-0x0000000001360000-0x000000000136B000-memory.dmp

Filesize
44KB

Download
memory/1076-57-0x00000000008E0000-0x0000000000973000-memory.dmp

Filesize
588KB

Download
memory/1076-55-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1076-54-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/1076-53-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1260-60-0x0000000006B60000-0x0000000006C77000-memory.dmp

Filesize
1.1MB

Download
memory/1260-61-0x0000000006B60000-0x0000000006C77000-memory.dmp

Filesize
1.1MB

Download
memory/1260-47-0x00000000068E0000-0x00000000069B7000-memory.dmp

Filesize
860KB

Download
memory/1260-45-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1260-64-0x0000000006B60000-0x0000000006C77000-memory.dmp

Filesize
1.1MB

Download
memory/2116-36-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2660-71-0x0000000071DAD000-0x0000000071DB8000-memory.dmp

Filesize
44KB

Download
memory/2660-52-0x0000000071DAD000-0x0000000071DB8000-memory.dmp

Filesize
44KB

Download
memory/2660-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-1-0x0000000071DAD000-0x0000000071DB8000-memory.dmp

Filesize
44KB

Download
memory/2908-46-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2908-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-42-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2908-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download