formbook | a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43

Analysis

max time kernel
148s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118.rtf
Size

857KB
MD5

6fe45f14b8979c44af50fb66d899dc17
SHA1

b373d5208689c21928d124df0bb2cef405f2f77e
SHA256

a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43
SHA512

f6836a57d8a8ab7096807ab12c4d89c655796803911764576b66fb29e69309e7320f4908b93a2d24ff681475b9d676698b5f00d6abb4fb47c5b4b5f1aced142f
SSDEEP

12288:IXcp2r+s25xYf8Hb0oLAarHDaYdIZqUrz3s2aXcp2r7:IXcp2Cs25bvpdIv3s2aXcp2H

Score

10^/10

formbook ch57 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch57

Decoy

langoloverdeselvino.com

sjt5mbd68t.com

gongshilicai.com

carteblanchestudios.com

bctechnicaltraining.com

shokuyo.net

topminde.com

harvardcs.net

ssc-8.com

apshangwei.com

piratedlife.com

caricata.com

xulingxianzhen.com

mtofilm.com

gfuzz.online

satanslibrary.com

wooloficeland.com

emilengler.com

gemvoid.com

magussbrasil.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	3020	2024	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2720	2024	cmd.exe	WINWORD.EXE

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2644-45-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2644-49-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2644-51-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

exe.exeexe.exe

pid process

2932 exe.exe
2644 exe.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeexe.exe

pid process

2596 cmd.exe
2596 cmd.exe
2932 exe.exe

pid	process
2932	exe.exe
2644	exe.exe

pid	process
2596	cmd.exe
2596	cmd.exe
2932	exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XZKDV0Q8WR = "C:\\Program Files (x86)\\Gl4j8n4\\updatedpxpftbp.exe"	msiexec.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

exe.exeexe.exemsiexec.exe

description	pid	process	target process
PID 2932 set thread context of 2644	2932	exe.exe	exe.exe
PID 2644 set thread context of 1256	2644	exe.exe	Explorer.EXE
PID 2644 set thread context of 1256	2644	exe.exe	Explorer.EXE
PID 1272 set thread context of 1256	1272	msiexec.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\Program Files (x86)\Gl4j8n4\updatedpxpftbp.exe msiexec.exe
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2680 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1184 taskkill.exe
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

2800 EQNEDT32.EXE
2188 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Gl4j8n4\updatedpxpftbp.exe	msiexec.exe

pid	process
2680	timeout.exe

pid	process
1184	taskkill.exe

pid	process
2800	EQNEDT32.EXE
2188	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2024 WINWORD.EXE

pid	process
2024	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

exe.exemsiexec.exe

pid	process
2644	exe.exe
2644	exe.exe
2644	exe.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe
1272	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

exe.exemsiexec.exe

pid process

2644 exe.exe
2644 exe.exe
2644 exe.exe
2644 exe.exe
1272 msiexec.exe
1272 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeexe.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1184 taskkill.exe
Token: SeDebugPrivilege 2644 exe.exe
Token: SeDebugPrivilege 1272 msiexec.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

exe.exeExplorer.EXE

pid process

2932 exe.exe
2932 exe.exe
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

exe.exeExplorer.EXE

pid process

2932 exe.exe
2932 exe.exe
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEexe.exe

pid process

2024 WINWORD.EXE
2024 WINWORD.EXE
2024 WINWORD.EXE
2932 exe.exe

description	pid	process
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	2644	exe.exe
Token: SeDebugPrivilege	1272	msiexec.exe

pid	process
2932	exe.exe
2932	exe.exe
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
2932	exe.exe
2932	exe.exe
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
2024	WINWORD.EXE
2024	WINWORD.EXE
2024	WINWORD.EXE
2932	exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.exeEQNEDT32.EXE

description	pid	process	target process
PID 2024 wrote to memory of 3020	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 3020	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 3020	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 3020	2024	WINWORD.EXE	cmd.exe
PID 3020 wrote to memory of 2596	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 2596	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 2596	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 2596	3020	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2680	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2680	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2680	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2680	2596	cmd.exe	timeout.exe
PID 2024 wrote to memory of 2720	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 2720	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 2720	2024	WINWORD.EXE	cmd.exe
PID 2024 wrote to memory of 2720	2024	WINWORD.EXE	cmd.exe
PID 2800 wrote to memory of 2764	2800	EQNEDT32.EXE	CmD.exe
PID 2800 wrote to memory of 2764	2800	EQNEDT32.EXE	CmD.exe
PID 2800 wrote to memory of 2764	2800	EQNEDT32.EXE	CmD.exe
PID 2800 wrote to memory of 2764	2800	EQNEDT32.EXE	CmD.exe
PID 2596 wrote to memory of 2932	2596	cmd.exe	exe.exe
PID 2596 wrote to memory of 2932	2596	cmd.exe	exe.exe
PID 2596 wrote to memory of 2932	2596	cmd.exe	exe.exe
PID 2596 wrote to memory of 2932	2596	cmd.exe	exe.exe
PID 2596 wrote to memory of 1184	2596	cmd.exe	taskkill.exe
PID 2596 wrote to memory of 1184	2596	cmd.exe	taskkill.exe
PID 2596 wrote to memory of 1184	2596	cmd.exe	taskkill.exe
PID 2596 wrote to memory of 1184	2596	cmd.exe	taskkill.exe
PID 2596 wrote to memory of 2920	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2920	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2920	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2920	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2876	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2876	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2876	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2876	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1744	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1744	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1744	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1744	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1216	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1216	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1216	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1216	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2464	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2464	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2464	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2464	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2620	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2620	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2620	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2620	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2908	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2908	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2908	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2908	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1604	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1604	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1604	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1604	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 1020	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 1020	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 1020	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 1020	2596	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118.rtf"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1020
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2132
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1208
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:860
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2140
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1496
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    PID:2720
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
    3⤵
    PID:2252

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %TmP%\TasK.BaT & UUUUUUUUc
  2⤵
  PID:2764

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
57ff2666bfc47c63e05d5c182b0f89f3

SHA1
c88b20b249b8f4ff963c897e2ba0028e20b316e2

SHA256
74249727c5d760e91b9277be58b45a03fd89a587cc19e0b42503b50db2e00356

SHA512
a7edf48519bbdf46aee1c5f60e419b4e604d04e3066aa3501e5fe3e81396fc443a4cafe35bdd06770a59e2009d0405dd4c97d8c121cd1bc30987270ad119b8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
432B

MD5
8decdcaeb92d9f628b6bf95de4c0597a

SHA1
19443ad64921ef01a77619350efcc97cd767a36b

SHA256
e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e

SHA512
d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
153B

MD5
89896bf3dc684cb01d6c9bd8f2df3694

SHA1
cd34ddbfe29c70d100f506addf4a6f831079dc01

SHA256
429934a64c0d46c46c09c3ccdac2db6801f96e28d072d3dd72ac01c5f023460b

SHA512
0f5371dee4db471524b3d6abf8fa673555b9dc92d596e7f3d73d13f810e899d19741cfebd46b09dfde60b0aee9288e2fac3bb8ec5cba3190dabd3bd87a0a29d1

Download Submit
C:\Users\Admin\AppData\Roaming\41901284\419logim.jpeg

Filesize
47KB

MD5
3e13bf702ab4a506a5bc13c915f51106

SHA1
db2e34f2128acc2623d94efc15b3f26697628777

SHA256
eaecb0f4ec9a5aac52234f3decbd0f6281d672d3a13c1c78a0e9c9f8bfcc5c88

SHA512
387ea5664bfdcf719db17f995335f165c359504d95e3369692210278a71080bdc9e9fe0cab689ae3d90fd60825ff280b94a3a1178552bc8daa85b300566d6c90

Download Submit
C:\Users\Admin\AppData\Roaming\41901284\419logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\41901284\419logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
400KB

MD5
0f8c250e5a3165f6c3de7c1f54fcfac8

SHA1
3269d93b95227e15be0c6cacd56b3161b99df199

SHA256
555c67989a77373b0ddd65809cf9813201cf4fca09c5c69f406eaa54d833111f

SHA512
3138c8a72e331791ae7b7ee2fc6d1cc6d3524158772e1a6df03733e397774fec2cf0099adfc3f8ee9a06a44e5b3a5fd82aa88da88d4e5c4309ccf2dab1063f01

Download Submit
memory/1256-48-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1256-50-0x0000000004F10000-0x0000000004FCF000-memory.dmp

Filesize
764KB

Download
memory/1256-58-0x0000000007520000-0x0000000007607000-memory.dmp

Filesize
924KB

Download
memory/1272-53-0x00000000000E0000-0x00000000000F4000-memory.dmp

Filesize
80KB

Download
memory/1272-55-0x00000000000E0000-0x00000000000F4000-memory.dmp

Filesize
80KB

Download
memory/2024-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2024-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2024-42-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2024-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

Filesize
4KB

Download
memory/2644-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2644-51-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2644-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download