formbook | 13b1f7955a9cf96f79b39effd8d08940cc7998c3aa934047a48ed3157d5a6db9

General

Target

SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf
Size

138KB
MD5

12135005a3185366b4b27c706f1d0526
SHA1

11c701479e96c20ce16c3eb6e0e3d2249fd25ba0
SHA256

13b1f7955a9cf96f79b39effd8d08940cc7998c3aa934047a48ed3157d5a6db9
SHA512

3259b2c6b3aa8cf195521c9d85c899a3ebc9328597833ba5181bcd2421a9b5d65fcf468050b57933de5158e8501b8b00a1101a52fef7a0b6eebb25dcebf8a35a
SSDEEP

768:ewAbZSibMX9gRWjtwAbZSibMX9gRWjhxsceh5IohhYZK3rad35:ewAlRkwAlR6Kh5HhhGK3ud35

Score

10^/10

formbook sg36 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sg36

Decoy

cookfranschhoek.com

rajaslot138.today

eightfigureroundtable.com

sdklwdz.com

novaturienthealth.com

sk87k.xyz

defoutenmakers.online

eadsanuncios.com

drewkav.com

car-insurance-94416.bond

m3nm.site

6vab.site

towing-barnesville.top

authentifizierung-beginnen.com

thejmfc.com

beggiapizza.site

gttsfibermill.com

cdugood.com

dominiongeneralcontractors.com

deprepagos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1824-34-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1824-39-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2164-45-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2164-47-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 2816 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

softbin93005.exesoftbin93005.exesoftbin93005.exe

pid process

2960 softbin93005.exe
2516 softbin93005.exe
1824 softbin93005.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2816 EQNEDT32.EXE

flow	pid	process
4	2816	EQNEDT32.EXE

pid	process
2816	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

softbin93005.exesoftbin93005.exewlanext.exe

description	pid	process	target process
PID 2960 set thread context of 1824	2960	softbin93005.exe	softbin93005.exe
PID 1824 set thread context of 1204	1824	softbin93005.exe	Explorer.EXE
PID 2164 set thread context of 1204	2164	wlanext.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2816 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2816	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2760 WINWORD.EXE

pid	process
2760	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

softbin93005.exesoftbin93005.exewlanext.exe

pid	process
2960	softbin93005.exe
2960	softbin93005.exe
1824	softbin93005.exe
1824	softbin93005.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe
2164	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

softbin93005.exewlanext.exe

pid process

1824 softbin93005.exe
1824 softbin93005.exe
1824 softbin93005.exe
2164 wlanext.exe
2164 wlanext.exe

pid	process
1824	softbin93005.exe
1824	softbin93005.exe
1824	softbin93005.exe
2164	wlanext.exe
2164	wlanext.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

softbin93005.exesoftbin93005.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2960	softbin93005.exe
Token: SeDebugPrivilege	1824	softbin93005.exe
Token: SeDebugPrivilege	2164	wlanext.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2760 WINWORD.EXE
2760 WINWORD.EXE

pid	process
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEsoftbin93005.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2816 wrote to memory of 2960	2816	EQNEDT32.EXE	softbin93005.exe
PID 2816 wrote to memory of 2960	2816	EQNEDT32.EXE	softbin93005.exe
PID 2816 wrote to memory of 2960	2816	EQNEDT32.EXE	softbin93005.exe
PID 2816 wrote to memory of 2960	2816	EQNEDT32.EXE	softbin93005.exe
PID 2760 wrote to memory of 1148	2760	WINWORD.EXE	splwow64.exe
PID 2760 wrote to memory of 1148	2760	WINWORD.EXE	splwow64.exe
PID 2760 wrote to memory of 1148	2760	WINWORD.EXE	splwow64.exe
PID 2760 wrote to memory of 1148	2760	WINWORD.EXE	splwow64.exe
PID 2960 wrote to memory of 2516	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 2516	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 2516	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 2516	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 2960 wrote to memory of 1824	2960	softbin93005.exe	softbin93005.exe
PID 1204 wrote to memory of 2164	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2164	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2164	1204	Explorer.EXE	wlanext.exe
PID 1204 wrote to memory of 2164	1204	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 1808	2164	wlanext.exe	cmd.exe
PID 2164 wrote to memory of 1808	2164	wlanext.exe	cmd.exe
PID 2164 wrote to memory of 1808	2164	wlanext.exe	cmd.exe
PID 2164 wrote to memory of 1808	2164	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.13523.31964.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1148

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\softbin93005.exe"
3⤵
PID:1808

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Roaming\softbin93005.exe
"C:\Users\Admin\AppData\Roaming\softbin93005.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Roaming\softbin93005.exe
"C:\Users\Admin\AppData\Roaming\softbin93005.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Roaming\softbin93005.exe
"C:\Users\Admin\AppData\Roaming\softbin93005.exe"
3⤵
- Executes dropped EXE
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
04dad4e3db2cded1a942e2c901e0061a

SHA1
c66bfeabc7476eb125873d49e458cba37c1bd709

SHA256
8fe12ce87c5586d28bb862c4aa7b59c1770b9d40c37c5f2d0f7a66c3f89dd7a7

SHA512
b5d970353c400de0374b649b847b18bf7c547009a1b646407785cc73048c5cca776b15b327e696a5b447b202e43686165c9ee313151c62f5a4ec6c9406e18a2c

Download Submit
C:\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
159KB

MD5
400a6c8b240c7e185647090c7508bcd4

SHA1
e45965de1c178fa5f8b4302be6ae6afb794a76ba

SHA256
92b41cdb39231cb4c0de3bad45a641263645099d4a08011c3aa5f4829dc1c438

SHA512
d45b87b490323004c22c9153b820250a3448b1d14907c3836db51b9c3a5feb6f12ea7f8ffcdd90928a05a08ba4c2dbb11ba29620dd5265f13f7b2c85ac7e51eb

Download Submit
C:\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
192KB

MD5
7596bc7d062f0dd1bd55e62ca08155cf

SHA1
03f67eb9a626d79a383c1becea457000b7ffa110

SHA256
f2c7fd4bef9703ffcfa2bd78cd69ca33b51c8e7fc7e5a37a0df9f67817a0d9aa

SHA512
49518cc7052e92022f83fa5f119125e0bb89bf6b7948f74c364cca96e153b01b5e51aa91c90b122192cb836c170b2ebb6b48341c9d85e8f8283fbdd2a50bef92

Download Submit
C:\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
92KB

MD5
555e2ded41b69293da5e7acc830beb6d

SHA1
ee921a9279ff82b7826fe8a24e6f03d3a0eefad3

SHA256
520bd8037626b8eb0a4209477e169afc16c928f4b670d179c886afc4302a7f7c

SHA512
fa362adee89d6d30924656496cbb749d0cd19916baaf68d4bd794a04e31ea069832a92440cb0cddcd1e63e7221a298f75c372bb7e5f290e0509e7607f77722f1

Download Submit
C:\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
902KB

MD5
aa305fd0870aa227c16bd1060964d2b8

SHA1
a29ba6abc7eb4752929a1c213ffc89770ff878e0

SHA256
10b71b9870e8b389acdf0874c2d49d392a9d9d227fd37e9f12c290b217f95fc0

SHA512
aaebd755fddaccdd29cb975db21e50e233deb7f367d99a7a0a8850231c15c609cec378975ae498d0682598321b5687af9422e3704e0cb8f57407c1119a2401e1

Download Submit
C:\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
382KB

MD5
06f68e2fc358811f86700a3430fc80d1

SHA1
f3ecc0e47bd2164402c5842bec9e77a326bbc057

SHA256
6b55989810ba43bd27d87707c80917cbf0c16eb2c8235987a54073e272b90341

SHA512
0a62be3507302f160d2a5f50532407e027be79c117861a432183fb20ad3a0ef4df5339a8d91458eaaec8f72da39068e81c1b5c12c857e5df1bac8766a85a00ee

Download Submit
\Users\Admin\AppData\Roaming\softbin93005.exe
Filesize
704KB

MD5
1df21eee22c5106bfbe4800500f78504

SHA1
8b9a5a411c0905a1c6c708a5654ac03bedc6e163

SHA256
98c4f68a126ca8c5915b185ce5845c092f48d92f9bc4de64d3a5ac72b1c779dc

SHA512
9e9bc2790f30752d66a70165c3ec6aa86c787839aac9bec54228355d1aaed2d75ee196acbc0a11b8fa5922add578647948fca22ae016d2da2b83a7b6125e4ed6

Download Submit
memory/1204-51-0x00000000073B0000-0x00000000074A3000-memory.dmp

Filesize
972KB

Download
memory/1204-52-0x0000000004E10000-0x0000000004F02000-memory.dmp

Filesize
968KB

Download
memory/1204-50-0x00000000073B0000-0x00000000074A3000-memory.dmp

Filesize
972KB

Download
memory/1204-41-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1204-42-0x0000000004E10000-0x0000000004F02000-memory.dmp

Filesize
968KB

Download
memory/1204-55-0x00000000073B0000-0x00000000074A3000-memory.dmp

Filesize
972KB

Download
memory/1824-37-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/1824-40-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/1824-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1824-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-44-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2164-49-0x0000000001E80000-0x0000000001F13000-memory.dmp

Filesize
588KB

Download
memory/2164-45-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2164-43-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2164-46-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/2164-47-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2760-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-24-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/2760-2-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/2760-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

Filesize
4KB

Download
memory/2960-22-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/2960-17-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2960-16-0x000000006B620000-0x000000006BD0E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-15-0x0000000000850000-0x0000000000938000-memory.dmp

Filesize
928KB

Download
memory/2960-36-0x000000006B620000-0x000000006BD0E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-25-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2960-26-0x00000000053A0000-0x000000000540E000-memory.dmp

Filesize
440KB

Download

pid	process
2960	softbin93005.exe
2516	softbin93005.exe
1824	softbin93005.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads