formbook | d5f9868247128595477ac9fb6a5af781853986c05adf9d111b10b59e7fbe962e

General

Target

QTE000021674.rtf
Size

432KB
MD5

520c787857586063238e4684770f9f51
SHA1

bcc10a912754c22eccfc20f8840dd83bbbc40770
SHA256

d5f9868247128595477ac9fb6a5af781853986c05adf9d111b10b59e7fbe962e
SHA512

32bbf81e48a8c71876a9b1ded27245d45ade4ce563b80a168149e1499fd6cb260ab717e304b81b2beb1d056df215713d65feb47094e93fa94707525489cf4d8c
SSDEEP

6144:4wAYwAYwAYwAYwAYwAYwAYwAYwAYwABKeeIeqW:6

Score

10^/10

formbook mw62 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mw62

Decoy

abpdainik.in

luxuryprojectmalad.co.in

cajunbellebeauty.com

fpmfstudios.com

spedyz.shop

wilddogphotographics.com

apollomoda1.com

evrimciftciportfolio.com

99977bet.com

inefavel.com

mf85.com

online-doctor-nl-1.bond

zqi2lv.vip

thewebdesignhub.co

botwitter.com

18comic-palwoeld.club

loveweldpermanentjewelry.com

l3er39pc-gaywn6kv-d7fs4t7u.cc

31yoyogamestudio.com

yhvh.cloud

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2940-64-0x00000000000F0000-0x000000000011F000-memory.dmp	formbook

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 2328 EQNEDT32.EXE
7 2328 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

616 powershell.exe
1712 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

maxziflow22994.scrmaxziflow22994.scr

pid process

2432 maxziflow22994.scr
1692 maxziflow22994.scr
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2328 EQNEDT32.EXE

flow	pid	process
4	2328	EQNEDT32.EXE
7	2328	EQNEDT32.EXE

pid	process
616	powershell.exe
1712	powershell.exe

pid	process
2328	EQNEDT32.EXE

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

maxziflow22994.scrmaxziflow22994.scrrundll32.exe

description	pid	process	target process
PID 2432 set thread context of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 1692 set thread context of 1172	1692	maxziflow22994.scr	Explorer.EXE
PID 2940 set thread context of 1172	2940	rundll32.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1908 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2328 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1908	schtasks.exe

pid	process
2328	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE

pid	process
1728	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

maxziflow22994.scrmaxziflow22994.scrpowershell.exepowershell.exerundll32.exe

pid	process
2432	maxziflow22994.scr
1692	maxziflow22994.scr
2432	maxziflow22994.scr
1692	maxziflow22994.scr
1712	powershell.exe
616	powershell.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

maxziflow22994.scrrundll32.exe

pid process

1692 maxziflow22994.scr
1692 maxziflow22994.scr
1692 maxziflow22994.scr
2940 rundll32.exe
2940 rundll32.exe

pid	process
1692	maxziflow22994.scr
1692	maxziflow22994.scr
1692	maxziflow22994.scr
2940	rundll32.exe
2940	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

maxziflow22994.scrmaxziflow22994.scrpowershell.exepowershell.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2432	maxziflow22994.scr
Token: SeDebugPrivilege	1692	maxziflow22994.scr
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2940	rundll32.exe
Token: SeShutdownPrivilege	1172	Explorer.EXE
Token: SeShutdownPrivilege	1172	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE
1728 WINWORD.EXE

pid	process
1728	WINWORD.EXE
1728	WINWORD.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

EQNEDT32.EXEmaxziflow22994.scrWINWORD.EXEExplorer.EXErundll32.exe

description	pid	process	target process
PID 2328 wrote to memory of 2432	2328	EQNEDT32.EXE	maxziflow22994.scr
PID 2328 wrote to memory of 2432	2328	EQNEDT32.EXE	maxziflow22994.scr
PID 2328 wrote to memory of 2432	2328	EQNEDT32.EXE	maxziflow22994.scr
PID 2328 wrote to memory of 2432	2328	EQNEDT32.EXE	maxziflow22994.scr
PID 2432 wrote to memory of 616	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 616	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 616	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 616	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 1712	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 1712	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 1712	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 1712	2432	maxziflow22994.scr	powershell.exe
PID 2432 wrote to memory of 1908	2432	maxziflow22994.scr	schtasks.exe
PID 2432 wrote to memory of 1908	2432	maxziflow22994.scr	schtasks.exe
PID 2432 wrote to memory of 1908	2432	maxziflow22994.scr	schtasks.exe
PID 2432 wrote to memory of 1908	2432	maxziflow22994.scr	schtasks.exe
PID 1728 wrote to memory of 2680	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2680	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2680	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2680	1728	WINWORD.EXE	splwow64.exe
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 2432 wrote to memory of 1692	2432	maxziflow22994.scr	maxziflow22994.scr
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 1172 wrote to memory of 2940	1172	Explorer.EXE	rundll32.exe
PID 2940 wrote to memory of 1636	2940	rundll32.exe	cmd.exe
PID 2940 wrote to memory of 1636	2940	rundll32.exe	cmd.exe
PID 2940 wrote to memory of 1636	2940	rundll32.exe	cmd.exe
PID 2940 wrote to memory of 1636	2940	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QTE000021674.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"
3⤵
PID:1636

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\maxziflow22994.scr
"C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TcBkdpyhoAsZn.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TcBkdpyhoAsZn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66AF.tmp"
3⤵
- Creates scheduled task(s)
PID:1908

C:\Users\Admin\AppData\Roaming\maxziflow22994.scr
"C:\Users\Admin\AppData\Roaming\maxziflow22994.scr"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp66AF.tmp
Filesize
1KB

MD5
e7dbbc45de791107d21d5f2a5a3515d7

SHA1
3b024c03471a21c62b45c6cea77f3d991c20f000

SHA256
6a768031eca2b1069b4d11c644882ee1840bb1edaacdc0f1f9afeb0ab29de4fb

SHA512
6720cac34594a17c324577f40789d056729e3d75431108be5dbd09816d505513834f8378c6e5cec076a7d1987735c2fa5228935fdb2c1bcd94df575c80780e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
87eb64755b07a06d1279f60c0ae8dd7d

SHA1
870e32aab444798b3c58c770ef2cc4f21daa1780

SHA256
6f35233e0b7275fa7f85f24332b5c1fafdeb71f81b200595f1d01b330e859b58

SHA512
6fd4b078defc73f765dc7dca281816f4a67353308ffcce352e7bae5921413bc6426e7a20fd2fe12833ea79ffdac0e2b6a8b2083450bcd0af4cc65601e1d9fa3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b9c5f33660d8f5fe932388e06801976e

SHA1
80475de7e6bee962b13ac5c484529da6ca025bce

SHA256
ee8a8a2543035d73f4a01746e09a0757b41bf00b5ee769aaf6f78200a277264e

SHA512
e5b488f8c430d5628e9667b366d12a4fbef3c42233f99196cb899415dfd6c8e9eace87552629a5a09a6c9ecc067d4585eaa0ead71aefad4181c6fdaf0f217647

Download Submit
\Users\Admin\AppData\Roaming\maxziflow22994.scr
Filesize
649KB

MD5
f72ff88e070bcebaba1df813b943cc36

SHA1
5c131b1d0aee58c22f9a1338f05be83340d79913

SHA256
3bc698ecfffe91717605ae4f50b9f4b2faa8dd85f190265b687f705d35f4a16a

SHA512
ae97aa8c2960cc1e80eeb011d10cf96f3b44777b58a32d3769591de30ce73c233018171d3ead8b06d0604bcc871486dc436973181b87509cfa3e555a68db9e34

Download Submit
memory/1172-59-0x0000000000340000-0x0000000000440000-memory.dmp

Filesize
1024KB

Download
memory/1172-69-0x0000000007040000-0x0000000007145000-memory.dmp

Filesize
1.0MB

Download
memory/1692-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1692-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-0-0x000000002F621000-0x000000002F622000-memory.dmp

Filesize
4KB

Download
memory/1728-65-0x000000007195D000-0x0000000071968000-memory.dmp

Filesize
44KB

Download
memory/1728-2-0x000000007195D000-0x0000000071968000-memory.dmp

Filesize
44KB

Download
memory/1728-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2432-36-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/2432-39-0x0000000004190000-0x0000000004206000-memory.dmp

Filesize
472KB

Download
memory/2432-38-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2432-37-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2432-31-0x00000000009C0000-0x0000000000A66000-memory.dmp

Filesize
664KB

Download
memory/2432-29-0x000000006B37E000-0x000000006B37F000-memory.dmp

Filesize
4KB

Download
memory/2940-61-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/2940-63-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/2940-64-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads