Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
nell.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
nell.rtf
Resource
win10v2004-20240709-en
General
-
Target
nell.rtf
-
Size
513KB
-
MD5
fb3027e4c7adc0370181f6f73c6dff33
-
SHA1
9ded925615bd1ef1c5dd88febdd10b1bb29b83df
-
SHA256
da7597eed278b6ebb330685e1caea6c1bc6ad9b2abff9afa05633f4cb5f7a123
-
SHA512
70325e60251e76ef02a505d77fd2f01fbe1a67796dd2187a24533200dbdf80d4b5e352b0dc87a7c714f78edc776bac10f8625d66126e261bf69cf5eb0d8bdad4
-
SSDEEP
6144:W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W626:ZP
Malware Config
Extracted
formbook
4.1
btrd
everslane.com
prairieviewelectric.online
dszvhgd.com
papamuch.com
8129k.vip
jeffreestar.gold
bestguestrentals.com
nvzhuang1.net
anangtoto.com
yxfgor.top
practicalpoppers.com
thebestanglephotography.online
koormm.top
criika.net
audioflow.online
380747.net
jiuguanwang.net
bloxequities.com
v321c.com
sugar.monster
agriwithai.com
rd8.online
texanboxes.com
h7wlvwr4afx.top
furryfriendsupply.store
xmentorgroup.com
runccl.com
fairplaytavern.com
concretecountertopsolutios.com
wzxq.xyz
outletivo.com
studyasp.net
pure1027.com
xpffvn.cfd
liposuctionclinics2.today
rouchoug.top
rifasgados.com
tesourosobrerodas.site
1stclasstv.net
invest247on.com
watch2movie.xyz
martline.website
naddafornadda.com
drbtcbtc.com
turbrun.com
autounion999370.top
wirewizardselectric.net
0757hunyin.net
researchforhighschool.com
thedivorcesurvivalguide.com
emeraldsurrogatefabric.com
home-repair-contractors-kfm.xyz
onlynaturlpt.shop
agiletzal.site
dylanmoranrules.com
ngbbvuhkm5.asia
proveedorafrac.com
pho3nixkidsghana.com
greatfightcompany.com
hotnerdsg.com
thecolourgrey.com
librarylatte.com
videomademagic.com
coinrun.net
cnoszirzbkaqz.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2780-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2632-44-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 2192 EQNEDT32.EXE 7 2192 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
nell56789.scrnell56789.scrpid process 2844 nell56789.scr 2780 nell56789.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2192 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nell56789.scrnell56789.scrwuapp.exedescription pid process target process PID 2844 set thread context of 2780 2844 nell56789.scr nell56789.scr PID 2780 set thread context of 1200 2780 nell56789.scr Explorer.EXE PID 2632 set thread context of 1200 2632 wuapp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1320 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
nell56789.scrwuapp.exepid process 2780 nell56789.scr 2780 nell56789.scr 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe 2632 wuapp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nell56789.scrwuapp.exepid process 2780 nell56789.scr 2780 nell56789.scr 2780 nell56789.scr 2632 wuapp.exe 2632 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
nell56789.scrwuapp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2780 nell56789.scr Token: SeDebugPrivilege 2632 wuapp.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1320 WINWORD.EXE 1320 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEnell56789.scrExplorer.EXEwuapp.exeWINWORD.EXEdescription pid process target process PID 2192 wrote to memory of 2844 2192 EQNEDT32.EXE nell56789.scr PID 2192 wrote to memory of 2844 2192 EQNEDT32.EXE nell56789.scr PID 2192 wrote to memory of 2844 2192 EQNEDT32.EXE nell56789.scr PID 2192 wrote to memory of 2844 2192 EQNEDT32.EXE nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 2844 wrote to memory of 2780 2844 nell56789.scr nell56789.scr PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 1200 wrote to memory of 2632 1200 Explorer.EXE wuapp.exe PID 2632 wrote to memory of 664 2632 wuapp.exe cmd.exe PID 2632 wrote to memory of 664 2632 wuapp.exe cmd.exe PID 2632 wrote to memory of 664 2632 wuapp.exe cmd.exe PID 2632 wrote to memory of 664 2632 wuapp.exe cmd.exe PID 1320 wrote to memory of 1800 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 1800 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 1800 1320 WINWORD.EXE splwow64.exe PID 1320 wrote to memory of 1800 1320 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\nell.rtf"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1800
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\nell56789.scr"3⤵PID:664
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\nell56789.scr"C:\Users\Admin\AppData\Roaming\nell56789.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\nell56789.scr"C:\Users\Admin\AppData\Roaming\nell56789.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD565b9f865f97308a723b5b221d40e6831
SHA1792e4a3e61943e82803d68fd61035c568558f518
SHA256800c69a78c1a6c26cb0b29dbe8a41dfe1a2269051cb61c0e321413cc7294e4b8
SHA512ec2cd4831eced173481f8d40d16489ea187123b08c7e5dc801526abd0156ae1d22630987ed96cb995a0f9eb7f62286566263b29c18c4cada3c155250d33a1cdf
-
Filesize
617KB
MD5bbb12cd2696ac986ad79c0116da987f4
SHA1802f65e20825ee6b2b5074e6084bc284241278d8
SHA256d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e
SHA512318e885d898a42b2751d387ba48b6fb359d3665d18637de48f35a53ea525bccbd1d9175a1f0429051d0a714ee887900ad3577db36d31d65f89ba7fb185484911