Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
QTE000021674.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
QTE000021674.rtf
Resource
win10v2004-20240426-en
General
-
Target
QTE000021674.rtf
-
Size
432KB
-
MD5
520c787857586063238e4684770f9f51
-
SHA1
bcc10a912754c22eccfc20f8840dd83bbbc40770
-
SHA256
d5f9868247128595477ac9fb6a5af781853986c05adf9d111b10b59e7fbe962e
-
SHA512
32bbf81e48a8c71876a9b1ded27245d45ade4ce563b80a168149e1499fd6cb260ab717e304b81b2beb1d056df215713d65feb47094e93fa94707525489cf4d8c
-
SSDEEP
6144:4wAYwAYwAYwAYwAYwAYwAYwAYwAYwABKeeIeqW:6
Malware Config
Extracted
formbook
4.1
mw62
abpdainik.in
luxuryprojectmalad.co.in
cajunbellebeauty.com
fpmfstudios.com
spedyz.shop
wilddogphotographics.com
apollomoda1.com
evrimciftciportfolio.com
99977bet.com
inefavel.com
mf85.com
online-doctor-nl-1.bond
zqi2lv.vip
thewebdesignhub.co
botwitter.com
18comic-palwoeld.club
loveweldpermanentjewelry.com
l3er39pc-gaywn6kv-d7fs4t7u.cc
31yoyogamestudio.com
yhvh.cloud
skechersoutlets-nz.com
elroyaldearagon.com
adamandcoco.com
xembonghay1.com
glasspanelrepair.com
epl317.top
lindacoledesign.com
brainfog.cloud
hermandaddelrociodecoria.store
capmozwork.com
hewqam.xyz
sullivanbusinessconsulting.com
justicefortrump2024.com
nhakhoasing.xyz
eldozz-draw.top
dasoak.top
estun.shop
2658jjj.buzz
replay77situs.co
therainbowpeoplejp.com
onartgo.com
imanse-impact-consultancy.com
feedsone.top
danielreinhold.com
tinytap.online
bactedes.website
xn--80akkrcheecblg.online
useliteacademy.com
growfrsh.cfd
texas.cyou
etca7575.online
samo-ai.com
baseresidents.xyz
nextmove.homes
larosacontracting.com
208001.com
hbkzle.shop
melbet-pakistan.com
remagrholod.store
airlinetickets.click
achievedisabilityservices.com
yourethevoicemusical.com
1aqx3s3y.shop
od93p9g5xwbk.xyz
dfrt.store
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2940-64-0x00000000000F0000-0x000000000011F000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2328 EQNEDT32.EXE 7 2328 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 616 powershell.exe 1712 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
maxziflow22994.scrmaxziflow22994.scrpid process 2432 maxziflow22994.scr 1692 maxziflow22994.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2328 EQNEDT32.EXE -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
maxziflow22994.scrmaxziflow22994.scrrundll32.exedescription pid process target process PID 2432 set thread context of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 1692 set thread context of 1172 1692 maxziflow22994.scr Explorer.EXE PID 2940 set thread context of 1172 2940 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
maxziflow22994.scrmaxziflow22994.scrpowershell.exepowershell.exerundll32.exepid process 2432 maxziflow22994.scr 1692 maxziflow22994.scr 2432 maxziflow22994.scr 1692 maxziflow22994.scr 1712 powershell.exe 616 powershell.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
maxziflow22994.scrrundll32.exepid process 1692 maxziflow22994.scr 1692 maxziflow22994.scr 1692 maxziflow22994.scr 2940 rundll32.exe 2940 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
maxziflow22994.scrmaxziflow22994.scrpowershell.exepowershell.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2432 maxziflow22994.scr Token: SeDebugPrivilege 1692 maxziflow22994.scr Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 2940 rundll32.exe Token: SeShutdownPrivilege 1172 Explorer.EXE Token: SeShutdownPrivilege 1172 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1728 WINWORD.EXE 1728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
EQNEDT32.EXEmaxziflow22994.scrWINWORD.EXEExplorer.EXErundll32.exedescription pid process target process PID 2328 wrote to memory of 2432 2328 EQNEDT32.EXE maxziflow22994.scr PID 2328 wrote to memory of 2432 2328 EQNEDT32.EXE maxziflow22994.scr PID 2328 wrote to memory of 2432 2328 EQNEDT32.EXE maxziflow22994.scr PID 2328 wrote to memory of 2432 2328 EQNEDT32.EXE maxziflow22994.scr PID 2432 wrote to memory of 616 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 616 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 616 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 616 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 1712 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 1712 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 1712 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 1712 2432 maxziflow22994.scr powershell.exe PID 2432 wrote to memory of 1908 2432 maxziflow22994.scr schtasks.exe PID 2432 wrote to memory of 1908 2432 maxziflow22994.scr schtasks.exe PID 2432 wrote to memory of 1908 2432 maxziflow22994.scr schtasks.exe PID 2432 wrote to memory of 1908 2432 maxziflow22994.scr schtasks.exe PID 1728 wrote to memory of 2680 1728 WINWORD.EXE splwow64.exe PID 1728 wrote to memory of 2680 1728 WINWORD.EXE splwow64.exe PID 1728 wrote to memory of 2680 1728 WINWORD.EXE splwow64.exe PID 1728 wrote to memory of 2680 1728 WINWORD.EXE splwow64.exe PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 2432 wrote to memory of 1692 2432 maxziflow22994.scr maxziflow22994.scr PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 1172 wrote to memory of 2940 1172 Explorer.EXE rundll32.exe PID 2940 wrote to memory of 1636 2940 rundll32.exe cmd.exe PID 2940 wrote to memory of 1636 2940 rundll32.exe cmd.exe PID 2940 wrote to memory of 1636 2940 rundll32.exe cmd.exe PID 2940 wrote to memory of 1636 2940 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QTE000021674.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TcBkdpyhoAsZn.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TcBkdpyhoAsZn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66AF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp66AF.tmpFilesize
1KB
MD5e7dbbc45de791107d21d5f2a5a3515d7
SHA13b024c03471a21c62b45c6cea77f3d991c20f000
SHA2566a768031eca2b1069b4d11c644882ee1840bb1edaacdc0f1f9afeb0ab29de4fb
SHA5126720cac34594a17c324577f40789d056729e3d75431108be5dbd09816d505513834f8378c6e5cec076a7d1987735c2fa5228935fdb2c1bcd94df575c80780e19
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD587eb64755b07a06d1279f60c0ae8dd7d
SHA1870e32aab444798b3c58c770ef2cc4f21daa1780
SHA2566f35233e0b7275fa7f85f24332b5c1fafdeb71f81b200595f1d01b330e859b58
SHA5126fd4b078defc73f765dc7dca281816f4a67353308ffcce352e7bae5921413bc6426e7a20fd2fe12833ea79ffdac0e2b6a8b2083450bcd0af4cc65601e1d9fa3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5b9c5f33660d8f5fe932388e06801976e
SHA180475de7e6bee962b13ac5c484529da6ca025bce
SHA256ee8a8a2543035d73f4a01746e09a0757b41bf00b5ee769aaf6f78200a277264e
SHA512e5b488f8c430d5628e9667b366d12a4fbef3c42233f99196cb899415dfd6c8e9eace87552629a5a09a6c9ecc067d4585eaa0ead71aefad4181c6fdaf0f217647
-
\Users\Admin\AppData\Roaming\maxziflow22994.scrFilesize
649KB
MD5f72ff88e070bcebaba1df813b943cc36
SHA15c131b1d0aee58c22f9a1338f05be83340d79913
SHA2563bc698ecfffe91717605ae4f50b9f4b2faa8dd85f190265b687f705d35f4a16a
SHA512ae97aa8c2960cc1e80eeb011d10cf96f3b44777b58a32d3769591de30ce73c233018171d3ead8b06d0604bcc871486dc436973181b87509cfa3e555a68db9e34
-
memory/1172-59-0x0000000000340000-0x0000000000440000-memory.dmpFilesize
1024KB
-
memory/1172-69-0x0000000007040000-0x0000000007145000-memory.dmpFilesize
1.0MB
-
memory/1692-51-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1692-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1692-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1692-53-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1728-96-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1728-0-0x000000002F621000-0x000000002F622000-memory.dmpFilesize
4KB
-
memory/1728-65-0x000000007195D000-0x0000000071968000-memory.dmpFilesize
44KB
-
memory/1728-2-0x000000007195D000-0x0000000071968000-memory.dmpFilesize
44KB
-
memory/1728-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2432-36-0x0000000000390000-0x00000000003A6000-memory.dmpFilesize
88KB
-
memory/2432-39-0x0000000004190000-0x0000000004206000-memory.dmpFilesize
472KB
-
memory/2432-38-0x0000000000630000-0x0000000000640000-memory.dmpFilesize
64KB
-
memory/2432-37-0x0000000000620000-0x000000000062C000-memory.dmpFilesize
48KB
-
memory/2432-31-0x00000000009C0000-0x0000000000A66000-memory.dmpFilesize
664KB
-
memory/2432-29-0x000000006B37E000-0x000000006B37F000-memory.dmpFilesize
4KB
-
memory/2940-61-0x00000000008F0000-0x00000000008FE000-memory.dmpFilesize
56KB
-
memory/2940-63-0x00000000008F0000-0x00000000008FE000-memory.dmpFilesize
56KB
-
memory/2940-64-0x00000000000F0000-0x000000000011F000-memory.dmpFilesize
188KB