formbook | 3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-5299.xls
Size

389KB
MD5

ca93ad9d9887663ed1afc2197b775268
SHA1

017bb90012dfa9fd9a6a05efd01d1d929e411039
SHA256

3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb
SHA512

02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af
SSDEEP

6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY

Score

10^/10

formbook he09 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he09

Decoy

clhear.com

maythunguyen.com

xiongmaoaijia.com

kembangzadsloh.xyz

speedwagner.com

360bedroom.com

campereurorg.top

cwxg2.site

mcdlibre.live

globigprimecompanylimited.com

1707102023-stripe.com

xhfj5.site

mugiwaranousopp.xyz

texmasco.com

sc9999.net

lite.team

8xb898.com

cibecuetowing.top

mgplatinemlak.xyz

southwestharborkeyword.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2992-111-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2992-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2084-122-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/2084-124-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2176	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
1972	conhost.exe
2992	conhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	EQNEDT32.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 2992	1972	conhost.exe	34
PID 2992 set thread context of 1184	2992	conhost.exe	7
PID 2084 set thread context of 1184	2084	cmstp.exe	7

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2176	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2484	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2992	conhost.exe
2992	conhost.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe
2084	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2992	conhost.exe
2992	conhost.exe
2992	conhost.exe
2084	cmstp.exe
2084	cmstp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	conhost.exe
Token: SeDebugPrivilege	2084	cmstp.exe
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE
Token: SeShutdownPrivilege	1184	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2484	EXCEL.EXE
2484	EXCEL.EXE
2484	EXCEL.EXE
2788	WINWORD.EXE
2788	WINWORD.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1972	2176	EQNEDT32.EXE	31
PID 2176 wrote to memory of 1972	2176	EQNEDT32.EXE	31
PID 2176 wrote to memory of 1972	2176	EQNEDT32.EXE	31
PID 2176 wrote to memory of 1972	2176	EQNEDT32.EXE	31
PID 2788 wrote to memory of 1500	2788	WINWORD.EXE	32
PID 2788 wrote to memory of 1500	2788	WINWORD.EXE	32
PID 2788 wrote to memory of 1500	2788	WINWORD.EXE	32
PID 2788 wrote to memory of 1500	2788	WINWORD.EXE	32
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1972 wrote to memory of 2992	1972	conhost.exe	34
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 1184 wrote to memory of 2084	1184	Explorer.EXE	35
PID 2084 wrote to memory of 1804	2084	cmstp.exe	36
PID 2084 wrote to memory of 1804	2084	cmstp.exe	36
PID 2084 wrote to memory of 1804	2084	cmstp.exe	36
PID 2084 wrote to memory of 1804	2084	cmstp.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-5299.xls
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2484
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    PID:1804

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1500

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\conhost.exe
  "C:\Users\Admin\AppData\Roaming\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
a464081ab2a888e7dac6c7345551ed5c

SHA1
b18f174f8b9df0d7adeabb9109d16744cbaba4b1

SHA256
861028d264d972b8a26c496d646d52d3196d9c20091da7df5add64e1ed7467a6

SHA512
9c371f1ed662462ed6bc9aabd4f28b25e44fea08b194feeb8bbc293e90a59022601c7e18148222804c16574ba278c5000adccc1c7f2d54c25cd9c5990d4f8225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6B6EFF92-3AA9-420E-BDCF-33B25F175B2D}.FSD

Filesize
128KB

MD5
34a7b344eef925f5cf3cd0e58de20997

SHA1
30d0c5eafd3511614af679f01bb0bf36263d278f

SHA256
b84098c3f9e53f8c4027d1b364d0986be42c2234d8a2443c6b692d7743e0fabf

SHA512
c22d659c2a58bd170d432145c46c44637395b522736e7f8f1e0ecd8f683ba91bd6431a40a76397eea5eaa2e48b1f69d6bbdbde7d4261482e0d1a808ff5adb0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth[1].doc

Filesize
66KB

MD5
0f15c2649a458ea6d0421b673571b5af

SHA1
a7cd0504cee1402625b1ab2bd13e89d344b3cb60

SHA256
19903b449b7a97eff2293836d617b509039bc4b8b108b9b5ae299f0e2a2ce9d7

SHA512
61ffb5b2d56bc32ee03a4e9ea70adeb5869226e92e8e4bc3d26f29c08060c8d4f5350d6fde19e26a3e536b9aaee3c24b072d7541e01c217471cd3f9f2868a1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A0F5974B-E08F-4667-BCFA-7D17681CCBFB}

Filesize
128KB

MD5
e796020fce52f1b4cc98c45a2ef9f1d0

SHA1
0417d34b24d925a06d620475c711dc422609fb79

SHA256
c0686db13b1074c8163a786a17cde5d4ef4193bbadf623efc008ffe2d4dbad1e

SHA512
4796898ac9d90231cdd3a38d31853e301d7aaa12fe4d44e19eebe70e78e10a23d4b9aec1da432c01a5a1bba73b7fc849c06f1a47f60cd68f838e43748e40b61f

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
605KB

MD5
4e970a3b8f394efb6020b1d7474bc147

SHA1
f519d4c73cc21fed56a4e2b2ea596215f4815f4b

SHA256
1a96da0b8cd4b80ebbe15e9ac2e4cc3552934d5e97f80a6533f97bc66095f126

SHA512
e6a2b04cef50f48c5bd89002766438233945f7f705cb864aa48ace5f26ab5f257dfe9d6a3139db21105381837f21304f3d4392aef51a4e883438fa77263ac2da

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
699KB

MD5
591dac333aff7739bf01a4c9d3e838a5

SHA1
5211f3ab4d80644439220d11fb204eb2bee9fdb8

SHA256
0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4

SHA512
b511a6b960b2c092577ab8fbf20767e9ad5dc86682e76e630602cfd88b4e8bf9b8fa8fac7e60fd4aa40ca8bcb49f69b9e8e9cc5a44f4c4b03d6e3d38ff402bfd

Download Submit
memory/1184-119-0x0000000003F00000-0x0000000004022000-memory.dmp

Filesize
1.1MB

Download
memory/1184-127-0x0000000003F00000-0x0000000004022000-memory.dmp

Filesize
1.1MB

Download
memory/1184-135-0x0000000006B10000-0x0000000006BD6000-memory.dmp

Filesize
792KB

Download
memory/1184-132-0x0000000006B10000-0x0000000006BD6000-memory.dmp

Filesize
792KB

Download
memory/1184-131-0x0000000006B10000-0x0000000006BD6000-memory.dmp

Filesize
792KB

Download
memory/1184-118-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/1972-97-0x0000000001150000-0x0000000001206000-memory.dmp

Filesize
728KB

Download
memory/1972-113-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-101-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/1972-98-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-100-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download
memory/1972-104-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1972-105-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1972-106-0x0000000005B20000-0x0000000005B8E000-memory.dmp

Filesize
440KB

Download
memory/2084-125-0x00000000008D0000-0x0000000000963000-memory.dmp

Filesize
588KB

Download
memory/2084-123-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/2084-122-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/2084-121-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download
memory/2084-120-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download
memory/2084-124-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/2484-102-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2484-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2484-9-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/2484-1-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2788-103-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2788-4-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2788-6-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2788-8-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/2992-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-114-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2992-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-117-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/2992-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download