Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 12:37
Static task
static1
Behavioral task
behavioral1
Sample
837216bb9f9cda26fbebd58a078b6b16.docx
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
837216bb9f9cda26fbebd58a078b6b16.docx
Resource
win10v2004-20240709-en
General
-
Target
837216bb9f9cda26fbebd58a078b6b16.docx
-
Size
16KB
-
MD5
837216bb9f9cda26fbebd58a078b6b16
-
SHA1
f8f72e714188e1f6afd09f7b7841437a5e8aee80
-
SHA256
007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7
-
SHA512
14b72385cf8b462e8425d522368426f10dcab06b5b1be1cb1bf7ca3aad799545cd9f661c38ebafce9d478f1dec36b0324cdfd81695d2a7ec60bbb2aeefbb7624
-
SSDEEP
384:YyXg0/+HWos8PL8wi4OEwH8TIbE91r2fR4JYHviMvmbWNv:Ycg0SP5P3DOqnYJ22vlvmbWJ
Malware Config
Extracted
formbook
4.1
oi12
exobello.bio
boinga.xyz
animasriversurf.com
gamesflashg.com
hayatbagievleri.online
washington-living.com
july7.store
x-pod-technologies.com
farmhouseflaire.com
qb52aa.top
datasynthing.xyz
5v28n.rest
legacycommerceltd.com
mundodelosjuguetes.com
wjblades.com
z9b6g8.com
eskimotech.net
dreziuy.xyz
bestsolarcompanies.services
vertemisconsulting.com
rockinrioviagogo.com
acimed.net
tdrfwb.shop
xd4tp.top
bihungoreng19.click
tcnhbv301y.top
triumphbusinessconsultancy.com
menuconfig.store
seikoubento.com
defiram.com
bespokearomatics.com
yellprint.com
flickeringlc.christmas
aidiagnostics.xyz
ok66g.app
z3o6i8.com
dacoylomarkemilcajes.online
rummymeett.xyz
arazivearsa.xyz
crystalpalaces.store
qtsandbox.com
wkbbb.com
abusedcode.com
puzzle-escape.info
jagoboss.com
seguro-pagamento.life
luxindicator.site
mxtp.coffee
okumafishing.xyz
gaffelshop.shop
optimusgs.com
qtsandbox.com
bt365332.com
kernphoto.art
p0uhx.pro
agsaydinlatma.online
korbidholdings.net
nsservicescorp.com
healthcare-trends-22748.bond
xtraslot.link
travelblitarjuandabmtrans.com
linlinda.com
gnonhcav.xyz
05544.xyz
selalujadipemenang.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2312-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1480-148-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEcmstp.exeflow pid process 10 3044 EQNEDT32.EXE 26 1480 cmstp.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obi39199.scrobi39199.scrpid process 2804 obi39199.scr 2312 obi39199.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 3044 EQNEDT32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
obi39199.scrobi39199.scrcmstp.exedescription pid process target process PID 2804 set thread context of 2312 2804 obi39199.scr obi39199.scr PID 2312 set thread context of 1244 2312 obi39199.scr Explorer.EXE PID 1480 set thread context of 1244 1480 cmstp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 3016 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
obi39199.scrpowershell.execmstp.exepid process 2312 obi39199.scr 2312 obi39199.scr 448 powershell.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe 1480 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
obi39199.scrcmstp.exepid process 2312 obi39199.scr 2312 obi39199.scr 2312 obi39199.scr 1480 cmstp.exe 1480 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
obi39199.scrpowershell.execmstp.exedescription pid process Token: SeDebugPrivilege 2312 obi39199.scr Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 1480 cmstp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 3016 WINWORD.EXE 3016 WINWORD.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobi39199.scrExplorer.EXEcmstp.exedescription pid process target process PID 3044 wrote to memory of 2804 3044 EQNEDT32.EXE obi39199.scr PID 3044 wrote to memory of 2804 3044 EQNEDT32.EXE obi39199.scr PID 3044 wrote to memory of 2804 3044 EQNEDT32.EXE obi39199.scr PID 3044 wrote to memory of 2804 3044 EQNEDT32.EXE obi39199.scr PID 3016 wrote to memory of 1384 3016 WINWORD.EXE splwow64.exe PID 3016 wrote to memory of 1384 3016 WINWORD.EXE splwow64.exe PID 3016 wrote to memory of 1384 3016 WINWORD.EXE splwow64.exe PID 3016 wrote to memory of 1384 3016 WINWORD.EXE splwow64.exe PID 2804 wrote to memory of 448 2804 obi39199.scr powershell.exe PID 2804 wrote to memory of 448 2804 obi39199.scr powershell.exe PID 2804 wrote to memory of 448 2804 obi39199.scr powershell.exe PID 2804 wrote to memory of 448 2804 obi39199.scr powershell.exe PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 2804 wrote to memory of 2312 2804 obi39199.scr obi39199.scr PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1244 wrote to memory of 1480 1244 Explorer.EXE cmstp.exe PID 1480 wrote to memory of 984 1480 cmstp.exe cmd.exe PID 1480 wrote to memory of 984 1480 cmstp.exe cmd.exe PID 1480 wrote to memory of 984 1480 cmstp.exe cmd.exe PID 1480 wrote to memory of 984 1480 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\837216bb9f9cda26fbebd58a078b6b16.docx"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1384
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1084
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\obi39199.scr"3⤵PID:984
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\obi39199.scr"C:\Users\Admin\AppData\Roaming\obi39199.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi39199.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Users\Admin\AppData\Roaming\obi39199.scr"C:\Users\Admin\AppData\Roaming\obi39199.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD534c4241e2d3c7d32eca4cb4dd1d1cf2a
SHA1ea6b55e8a5e9f99e014e4e830b14ab9b19c6a672
SHA256a3f3414ce8b28afc0fa97aa23f588fbd05b0d9660bfd8f899fc6b00f98083407
SHA5129c658e8f8d3323a355988f7d591af7885f87973fa8087494f14737c67cfd398a6e4c1bc42f5eb3b73cc0de3bf1ba7984c179227f78b844b8b734ff6d19f559a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5675e285a7edb106b0c4aa0e0bbad339b
SHA14f06df75813df8d2e711ccfb413d44369e9b144f
SHA256903e925c2a7c1c8fdecff4a4646418b7f55a313d0e0ef41b443bc47421ac50fc
SHA512403300bd6974ea7916479a2918fe9c6080f36c558191d08894f11875df4415a6dbe3cbad7e26e4d7021eba1a5b7511b18ffe0e558b7f337e0f2024bd1e095b9c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D24677F9-11D2-4BFA-A366-B79F016AB727}.FSD
Filesize128KB
MD507a17a1326fcd38fa15f275c55db9e02
SHA1f68009ad08ca5e7f8f11ebf2475ef5d4d12ef7b1
SHA2562c99fcf183315be27493676c19c58ca390bed5100f505cd6bbda66055c0829c2
SHA512de681f4cb268637ac87d62b49b8c4c45f7c309e20d67910b63480947c2bc512f761c6e63c826468861b709efa084d6ddb50aba4bbbb6500c781f048f80bfb0dc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD577f2c7c46ec26da3f64337b8d7e10503
SHA133f371fb767ff9ca8e530ea6f5f9d8bbd90835cb
SHA25616051cd9138bf983475cb58b0aaed58b7ba6d848fe8fe92ed69d096228b2f2dd
SHA51261195ee5c7d6dcb83cdf083ba2f640039057a25ad312dc4000c6f2a795bcca14e69bb734ac63d3cfd8ec2c111b7de7dbf2409af4e5b666c83f5d22ed402b7ac7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1F02B14F-3D54-4AFF-9D2E-B08A4A2F1E20}.FSD
Filesize128KB
MD5784fc7d54aec20f06176162e2c9c8984
SHA1f8658cde004cb55ef6f8af0586523fc888f1ba06
SHA2568ae1189d9290639bc26350b213de491a86f3f297db3d39c46740dd905d8e9f1a
SHA5122cc05aad0d31ac73d8d28600e78710689cf1bbe0871f2ae3702e797c07b351ada69216ab774bacaba36e5722b854814456e7c14827a2445a4855b25074cc8c7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\orb[1].doc
Filesize592KB
MD52ba92be429cdd63c858fa913c4330e03
SHA1e636674e6ae85009963aac1769dd9330162f2c1b
SHA25689d4f7ff0f7581285aa90f39213b779edabda6196b48bc386131d71f64b52548
SHA512cf92cba7448c78c2798c5f5a4a13891e0fe8a2929f7819969424e54bba119c9ce2a2c1310b0621ca0528f2dd57837cc2d08848151cfe4193c90a5a92dd4fbea5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
128KB
MD5ce15c2221ebc2de39f051bf35fba1f82
SHA14c4e4436d365a975aca0d84a6fe49df8e466c1b6
SHA256ccb7de4359d9f1c6f501028f9469029a313826509a007fd4e77ca6ab46d8d079
SHA512669e415e9a3e04ec343c561e0241fb6bffb22357110798023bdae4394ef94fea341bc360ea9fe8a516d9ad1a77ad1d66aa1821a9e53ebc9a4e7ce66f18d302b8
-
Filesize
253B
MD52d35132d09d053542e46267beb82214c
SHA12060db06fd9aba87fc74de4417a311aee66e653d
SHA256110d85ee240580609b90ae8dc261a8d9136e32673b008c3f7946a6beab9ca479
SHA5120f3c3677a96d5afa6d53d31ca06ee63589d5d3de53933fb6a30c11dff64716f4dee6155e4000f30ba7bc9dc5db90a158f88c36c0efa10c845e16e5b4337a6a06
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
641KB
MD55bb28f55f7e40a6fc139ab8855a2f4f1
SHA130e79283844d61aaf849465d5755d0766daa10b6
SHA2564f0c6fbe81af5502a29f6e8f0126f213498c24531e80512d1966f773d5131365
SHA51272d969877392a06f00f8e8f2f12278ba51ca55938227b2d1efed7bffbd953f1657afa0fcf1fd21d8e50f5ec716cc60c0c4e87a2341f63bee7bde0de0a42dfd94