Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Order4500318042.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Order4500318042.xls
Resource
win10v2004-20240419-en
General
-
Target
Order4500318042.xls
-
Size
229KB
-
MD5
ef04a12bc8c36b451d4b9da3cd9d36d6
-
SHA1
cf13b2aedb7a44209a7d8bbe4694150834fc50e0
-
SHA256
c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a
-
SHA512
cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa
-
SSDEEP
6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK
Malware Config
Extracted
formbook
4.1
ht3d
derlon.net
46gem.vip
bridal-heart-boutique.com
porarquitectura.com
durkal.online
9916k.vip
nativegarden.net
hoodjac.com
coachwunder.com
jutuowangluo.com
frankmontagna.com
jalenx.com
yhxg.net
brasserie-bro.com
whitecoatprivilege.com
sigmadriving.com
inhkipcmacau.com
freediveexperience.com
52iwin.com
aaditt.com
accesspathways.com
subhadarshini.online
zshoessale.com
rubyreverie.xyz
hrtacticalin.com
lordle.app
milfriedrichphotography.com
campbellforamerica.com
blessedunity.com
ema-blog.site
loxleyshop.com
mirfinans.com
xn--2o2b110a3rh.com
palmbarnj.com
weddingantonioemarina.com
debeukbv.net
rlknia.cfd
5redbull.com
dwbwoodworking.com
cab-bc.com
testingsol.com
scadamarket.com
ryan-waltz.com
62iwin.win
balkanapp.com
weatherproofit.net
1bytes.website
butterflygroup.net
sydneyridesfestival.net
licrodriguezpalma.com
sam2.site
data-list.online
fulhamwinebar.com
eissw.com
used-cars-77695.bond
get-bettingid.com
wow-professions.info
psicoimago.com
1788777.com
cikaslot.icu
sleepbetter.health
apple-ios-gps-us-19.ink
reallyrealclothing.store
earthoftender.com
isboston.net
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2540-267-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2668-273-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 27 1636 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
html.exehtml.exepid process 2988 html.exe 2540 html.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1636 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
html.exehtml.exechkdsk.exedescription pid process target process PID 2988 set thread context of 2540 2988 html.exe html.exe PID 2540 set thread context of 1260 2540 html.exe Explorer.EXE PID 2668 set thread context of 1260 2668 chkdsk.exe Explorer.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEchkdsk.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
html.exechkdsk.exepid process 2540 html.exe 2540 html.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe 2668 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
html.exechkdsk.exepid process 2540 html.exe 2540 html.exe 2540 html.exe 2668 chkdsk.exe 2668 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
html.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2540 html.exe Token: SeDebugPrivilege 2668 chkdsk.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEhtml.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1636 wrote to memory of 2988 1636 EQNEDT32.EXE html.exe PID 1636 wrote to memory of 2988 1636 EQNEDT32.EXE html.exe PID 1636 wrote to memory of 2988 1636 EQNEDT32.EXE html.exe PID 1636 wrote to memory of 2988 1636 EQNEDT32.EXE html.exe PID 2820 wrote to memory of 2420 2820 WINWORD.EXE splwow64.exe PID 2820 wrote to memory of 2420 2820 WINWORD.EXE splwow64.exe PID 2820 wrote to memory of 2420 2820 WINWORD.EXE splwow64.exe PID 2820 wrote to memory of 2420 2820 WINWORD.EXE splwow64.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 2988 wrote to memory of 2540 2988 html.exe html.exe PID 1260 wrote to memory of 2668 1260 Explorer.EXE chkdsk.exe PID 1260 wrote to memory of 2668 1260 Explorer.EXE chkdsk.exe PID 1260 wrote to memory of 2668 1260 Explorer.EXE chkdsk.exe PID 1260 wrote to memory of 2668 1260 Explorer.EXE chkdsk.exe PID 2668 wrote to memory of 2856 2668 chkdsk.exe cmd.exe PID 2668 wrote to memory of 2856 2668 chkdsk.exe cmd.exe PID 2668 wrote to memory of 2856 2668 chkdsk.exe cmd.exe PID 2668 wrote to memory of 2856 2668 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\html.exe"3⤵PID:2856
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2420
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Roaming\html.exe"C:\Users\Admin\AppData\Roaming\html.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\html.exe"C:\Users\Admin\AppData\Roaming\html.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD501393e3a5065febc53d08bf9f2f6d8bd
SHA116a598640c1229ffc376baf4d23af537af68d47a
SHA256b3ce38100a47ef0bf745749bb96bbe442e7e5d04ad3858f0d37ebac3de5ab01c
SHA512cf3c726d02b52277aabd52008385765830f42c80f5f6802b2613ed3f364bee949d8601c700f17da6a49447967b30991e2dfa7818fc4b29a368ece68e83fb39a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD5c33946a195628684ca42d8f21ad7e48d
SHA14a7a3a761bc68370a56c598f8114cfc4d36cdc82
SHA256359e108184810e910511bd51ea6d0e9bbfad2d13358f86a6fe1b269c2c5a87a5
SHA51275766dd5416edc91b797ddb1ef010f2cf41a59fe6674503bb7a54f399081ad30d852f400093672c81d3ab1e63c83ab3e261a6b95550cee07b19de469a0a52c60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5432e5e1b0b0ff9830c353957cf043243
SHA119035214e95249f666154954ebda6df4863b47cb
SHA256586357a014d3f4b4cab59b16bae6878cc8d2e7a1922e11a73cc7c9bdb0f4a6a0
SHA512d1be53229cec31dfbf4696a33f9fad4dacfa0801abbc8ef2a07497326d480ab9cdb5f7938749e42a3a40c23b7a8b920929b839c96c809ce98e3379c2c1f9cb4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576e0de3ea725b6a55b3f5955dba56e4b
SHA1d1b55c52afdfe15d0c11482692ed3d3a41596030
SHA2566f1fa083ff081b039848c090883f7d909c83372e734c59251ba142de75adbb24
SHA512311602e273ec6e80f6b774a80c679991f9a7739e9616e8e201d9d866046526396b735fc76a044a897dd1f0c2e1dfc13efbfaeafe15b331eb795066f2390343d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD52a05c01414bc71534b5946c428b383be
SHA12d80f028c873aea25c00c5223383a8b3006995a1
SHA2568e50e74d018f4bb689588365e55175af742fd7447ee5890591f134d8391c3e3a
SHA512e8e77e6a0b37b87f8b9416dfe3080a06b440ca4a5398c6203990a30a6a1f3ded10930e53c424d0c10fc047734d27f13e808de2b08da0d0e18cff15889fb566b8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{37E9D860-2852-4C68-B67D-D974F4E1D82D}.FSD
Filesize128KB
MD5a3f726cf239a87baed925a0bcba0a35a
SHA1c02b903214097dbcd0272e90fd853381b7a21856
SHA256fa547f2d12ef25eb2286743c3a7345d6e752e64e1421e76795b9db50610a3fa2
SHA512e376a58fde10cfd4f03e35643ed1b5f2fadda7fc4f12c566944f436bb11b9dd2b9d7eb99fb5814b91a686655dd9e8661deb956331d19be52d5e9b5aeec01eee3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD52098b30f165478f7083d8bd73f75c5f4
SHA1def66b95072d3f7f28bfde58efac901f7f280212
SHA25679ea74483501ab43cc268837443775da213cd709fb49e3dae9f779753d78c8c7
SHA51236cfd00a665ebd9a490db552ce2e46269bda3be3c969efd3b1f9a9d1c25d2ece0bad28101bb543d7a6fa041c16f032ff7545ad706d837286be48d1b12a66c034
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5fb29a9df04088ee3cf11d142b3c1c4d2
SHA15afda4c8458820b550180243d4b314b40d15e28c
SHA256428e9cfaa1b94fcc9f52ce645c61617e5a9cb559e7302ec9cd8016a521e1de8d
SHA512cbfff5897c20a6a057084355282fe315881b24922635f89db69fb6767cbcf16479c5dac4ab145b485343d81ae667996d3a611c19666160e74909f9227c7deb1a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3CDA3D5C-B43A-478F-9727-499E84230D46}.FSD
Filesize128KB
MD5ed210c74b005356bdd898e1232b0902e
SHA116c4b85773282a13d7a02994bc467303c60ba7b6
SHA25620df3493023d7938cc40448c4a0a42713539514dd3e929b7b4bbd72c37309d75
SHA51255f2a585a55d19dae089a2e4c810945eef4132998598e4b15ece973c984439fa0fb38080ec7d2d1df3f0e3607780471d251b31a0599e3fff801099b5288c7b65
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BEAUBQH5\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc
Filesize81KB
MD51aa76ce00f01882d5cd3d712b8052bc2
SHA1b0cb1b9a8ada2812a013469ff5cf736b0f8da933
SHA2569ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
SHA512ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
128KB
MD5064121ac7f1ced40bdc12ce8b3becb98
SHA192ad07a09b406ef0172c113fc8fc61e231666cdd
SHA2560e81fac49148755898e00714ba8d4c489607a81a2d2978deb59460a71cf741bf
SHA512c5790a122393f166669a50d41088c9f4d5b2ef0be3186d37039fe1f18926ec674ddfd061dc32e45d19e197359121d4b717f6adb328151d6bace523639478c21a
-
Filesize
69B
MD5eb4acdb99428f60a5ab235ba7f2dabb8
SHA12581b4882dd12e31f883e61f23effd934557f336
SHA2566cecc67f413e145f82577b6b82a828202d880010ee1a10b3fb85b2978d9fe956
SHA51246dfb190d3d0154620687dace7736c6701480c1a75b442ae0c37cbac233976f9afeb29d9627516d7a29876c0868c7ce3e2ad28653bf1a6fb8866f1cd42e95236
-
Filesize
658KB
MD5cef1565654989742eaffa2cbc59947eb
SHA1afef46a08dc6a2e1b3c8a9c6b58627677403f7b5
SHA256f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
SHA51253b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97