Malware Analysis Report

2024-10-19 09:28

Sample ID 240715-ptvgws1glm
Target 837216bb9f9cda26fbebd58a078b6b16.docx
SHA256 007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7
Tags
formbook oi12 execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7

Threat Level: Known bad

The file 837216bb9f9cda26fbebd58a078b6b16.docx was found to be: Known bad.

Malicious Activity Summary

formbook oi12 execution rat spyware stealer trojan

Formbook

Formbook payload

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Abuses OpenXML format to download file from external location

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 12:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 12:37

Reported

2024-07-15 12:40

Platform

win7-20240705-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\obi39199.scr N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obi39199.scr N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2804 set thread context of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2312 set thread context of 1244 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Windows\Explorer.EXE
PID 1480 set thread context of 1244 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\Explorer.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obi39199.scr N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 3044 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 3044 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 3044 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 3016 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3016 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3016 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3016 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\obi39199.scr C:\Users\Admin\AppData\Roaming\obi39199.scr
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1244 wrote to memory of 1480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1480 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\837216bb9f9cda26fbebd58a078b6b16.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\obi39199.scr

"C:\Users\Admin\AppData\Roaming\obi39199.scr"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi39199.scr"

C:\Users\Admin\AppData\Roaming\obi39199.scr

"C:\Users\Admin\AppData\Roaming\obi39199.scr"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\SysWOW64\cmstp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\obi39199.scr"

Network

Country Destination Domain Proto
US 8.8.8.8:53 seadrill.top udp
US 104.21.35.239:443 seadrill.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 104.21.35.239:443 seadrill.top tcp
US 104.21.35.239:443 seadrill.top tcp
US 8.8.8.8:53 www.selalujadipemenang.com udp
PH 154.83.2.40:80 www.selalujadipemenang.com tcp
US 8.8.8.8:53 www.boinga.xyz udp
US 8.8.8.8:53 www.datasynthing.xyz udp
DE 91.195.240.19:80 www.datasynthing.xyz tcp
US 8.8.8.8:53 www.bihungoreng19.click udp
US 172.96.187.211:80 www.bihungoreng19.click tcp
US 8.8.8.8:53 www.bihungoreng19.click udp
US 172.96.187.211:80 www.bihungoreng19.click tcp
US 8.8.8.8:53 www.agsaydinlatma.online udp
TR 31.186.11.254:80 www.agsaydinlatma.online tcp

Files

memory/3016-0-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

memory/3016-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3016-2-0x000000007169D000-0x00000000716A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7A9EF1EB-BD86-4DBC-A007-B61E7E4DB7FA}

MD5 ce15c2221ebc2de39f051bf35fba1f82
SHA1 4c4e4436d365a975aca0d84a6fe49df8e466c1b6
SHA256 ccb7de4359d9f1c6f501028f9469029a313826509a007fd4e77ca6ab46d8d079
SHA512 669e415e9a3e04ec343c561e0241fb6bffb22357110798023bdae4394ef94fea341bc360ea9fe8a516d9ad1a77ad1d66aa1821a9e53ebc9a4e7ce66f18d302b8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D24677F9-11D2-4BFA-A366-B79F016AB727}.FSD

MD5 07a17a1326fcd38fa15f275c55db9e02
SHA1 f68009ad08ca5e7f8f11ebf2475ef5d4d12ef7b1
SHA256 2c99fcf183315be27493676c19c58ca390bed5100f505cd6bbda66055c0829c2
SHA512 de681f4cb268637ac87d62b49b8c4c45f7c309e20d67910b63480947c2bc512f761c6e63c826468861b709efa084d6ddb50aba4bbbb6500c781f048f80bfb0dc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 77f2c7c46ec26da3f64337b8d7e10503
SHA1 33f371fb767ff9ca8e530ea6f5f9d8bbd90835cb
SHA256 16051cd9138bf983475cb58b0aaed58b7ba6d848fe8fe92ed69d096228b2f2dd
SHA512 61195ee5c7d6dcb83cdf083ba2f640039057a25ad312dc4000c6f2a795bcca14e69bb734ac63d3cfd8ec2c111b7de7dbf2409af4e5b666c83f5d22ed402b7ac7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1F02B14F-3D54-4AFF-9D2E-B08A4A2F1E20}.FSD

MD5 784fc7d54aec20f06176162e2c9c8984
SHA1 f8658cde004cb55ef6f8af0586523fc888f1ba06
SHA256 8ae1189d9290639bc26350b213de491a86f3f297db3d39c46740dd905d8e9f1a
SHA512 2cc05aad0d31ac73d8d28600e78710689cf1bbe0871f2ae3702e797c07b351ada69216ab774bacaba36e5722b854814456e7c14827a2445a4855b25074cc8c7f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\orb[1].doc

MD5 2ba92be429cdd63c858fa913c4330e03
SHA1 e636674e6ae85009963aac1769dd9330162f2c1b
SHA256 89d4f7ff0f7581285aa90f39213b779edabda6196b48bc386131d71f64b52548
SHA512 cf92cba7448c78c2798c5f5a4a13891e0fe8a2929f7819969424e54bba119c9ce2a2c1310b0621ca0528f2dd57837cc2d08848151cfe4193c90a5a92dd4fbea5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 34c4241e2d3c7d32eca4cb4dd1d1cf2a
SHA1 ea6b55e8a5e9f99e014e4e830b14ab9b19c6a672
SHA256 a3f3414ce8b28afc0fa97aa23f588fbd05b0d9660bfd8f899fc6b00f98083407
SHA512 9c658e8f8d3323a355988f7d591af7885f87973fa8087494f14737c67cfd398a6e4c1bc42f5eb3b73cc0de3bf1ba7984c179227f78b844b8b734ff6d19f559a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 675e285a7edb106b0c4aa0e0bbad339b
SHA1 4f06df75813df8d2e711ccfb413d44369e9b144f
SHA256 903e925c2a7c1c8fdecff4a4646418b7f55a313d0e0ef41b443bc47421ac50fc
SHA512 403300bd6974ea7916479a2918fe9c6080f36c558191d08894f11875df4415a6dbe3cbad7e26e4d7021eba1a5b7511b18ffe0e558b7f337e0f2024bd1e095b9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 1bfe0a81db078ea084ff82fe545176fe
SHA1 50b116f578bd272922fa8eae94f7b02fd3b88384
SHA256 5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA512 37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

C:\Users\Admin\AppData\Local\Temp\CabC02.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Users\Admin\AppData\Roaming\obi39199.scr

MD5 5bb28f55f7e40a6fc139ab8855a2f4f1
SHA1 30e79283844d61aaf849465d5755d0766daa10b6
SHA256 4f0c6fbe81af5502a29f6e8f0126f213498c24531e80512d1966f773d5131365
SHA512 72d969877392a06f00f8e8f2f12278ba51ca55938227b2d1efed7bffbd953f1657afa0fcf1fd21d8e50f5ec716cc60c0c4e87a2341f63bee7bde0de0a42dfd94

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2d35132d09d053542e46267beb82214c
SHA1 2060db06fd9aba87fc74de4417a311aee66e653d
SHA256 110d85ee240580609b90ae8dc261a8d9136e32673b008c3f7946a6beab9ca479
SHA512 0f3c3677a96d5afa6d53d31ca06ee63589d5d3de53933fb6a30c11dff64716f4dee6155e4000f30ba7bc9dc5db90a158f88c36c0efa10c845e16e5b4337a6a06

memory/2804-119-0x0000000000820000-0x00000000008C4000-memory.dmp

memory/2804-124-0x0000000000520000-0x000000000053A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2804-135-0x0000000000540000-0x000000000054E000-memory.dmp

memory/2804-136-0x0000000004B50000-0x0000000004BC6000-memory.dmp

memory/2312-137-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2312-139-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2312-142-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2312-141-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1480-147-0x0000000000E30000-0x0000000000E48000-memory.dmp

memory/1480-148-0x00000000000D0000-0x00000000000FF000-memory.dmp

memory/3016-149-0x000000007169D000-0x00000000716A8000-memory.dmp

memory/1244-153-0x0000000006520000-0x00000000065BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 12:37

Reported

2024-07-15 12:40

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\837216bb9f9cda26fbebd58a078b6b16.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\837216bb9f9cda26fbebd58a078b6b16.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 seadrill.top udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.21.35.239:443 seadrill.top tcp
US 104.21.35.239:443 seadrill.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 239.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 104.21.35.239:443 seadrill.top tcp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4844-0-0x00007FFD23530000-0x00007FFD23540000-memory.dmp

memory/4844-4-0x00007FFD23530000-0x00007FFD23540000-memory.dmp

memory/4844-3-0x00007FFD23530000-0x00007FFD23540000-memory.dmp

memory/4844-2-0x00007FFD23530000-0x00007FFD23540000-memory.dmp

memory/4844-1-0x00007FFD23530000-0x00007FFD23540000-memory.dmp

memory/4844-5-0x00007FFD6354D000-0x00007FFD6354E000-memory.dmp

memory/4844-6-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-7-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-10-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-9-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-8-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-11-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-12-0x00007FFD21120000-0x00007FFD21130000-memory.dmp

memory/4844-14-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-16-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-18-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-17-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

memory/4844-15-0x00007FFD21120000-0x00007FFD21130000-memory.dmp

memory/4844-13-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QOWVUGSW\orb[1].doc

MD5 2ba92be429cdd63c858fa913c4330e03
SHA1 e636674e6ae85009963aac1769dd9330162f2c1b
SHA256 89d4f7ff0f7581285aa90f39213b779edabda6196b48bc386131d71f64b52548
SHA512 cf92cba7448c78c2798c5f5a4a13891e0fe8a2929f7819969424e54bba119c9ce2a2c1310b0621ca0528f2dd57837cc2d08848151cfe4193c90a5a92dd4fbea5

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c8bbc21413c772b445b553861f71f29f
SHA1 dcbec45b4822729ca75fbc548ca6a8e716bcb3ef
SHA256 ae5e8d144f713f3b3ee7ce2d4fb86e130366780d40b45be69fa67681e4c4c58b
SHA512 8a77a8d5599b5b59243930924a49181046cf6d74aa16061481ef425b7a8e25ba8e1b536f9b80bc0c2f1b6524459e8a44e6b7a9e849f6c9e2b5b6645895bd324b

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4844-85-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDFBD.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e