Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
nell.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
nell.rtf
Resource
win10v2004-20240709-en
General
-
Target
nell.rtf
-
Size
513KB
-
MD5
fb3027e4c7adc0370181f6f73c6dff33
-
SHA1
9ded925615bd1ef1c5dd88febdd10b1bb29b83df
-
SHA256
da7597eed278b6ebb330685e1caea6c1bc6ad9b2abff9afa05633f4cb5f7a123
-
SHA512
70325e60251e76ef02a505d77fd2f01fbe1a67796dd2187a24533200dbdf80d4b5e352b0dc87a7c714f78edc776bac10f8625d66126e261bf69cf5eb0d8bdad4
-
SSDEEP
6144:W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W626:ZP
Malware Config
Extracted
formbook
4.1
btrd
everslane.com
prairieviewelectric.online
dszvhgd.com
papamuch.com
8129k.vip
jeffreestar.gold
bestguestrentals.com
nvzhuang1.net
anangtoto.com
yxfgor.top
practicalpoppers.com
thebestanglephotography.online
koormm.top
criika.net
audioflow.online
380747.net
jiuguanwang.net
bloxequities.com
v321c.com
sugar.monster
agriwithai.com
rd8.online
texanboxes.com
h7wlvwr4afx.top
furryfriendsupply.store
xmentorgroup.com
runccl.com
fairplaytavern.com
concretecountertopsolutios.com
wzxq.xyz
outletivo.com
studyasp.net
pure1027.com
xpffvn.cfd
liposuctionclinics2.today
rouchoug.top
rifasgados.com
tesourosobrerodas.site
1stclasstv.net
invest247on.com
watch2movie.xyz
martline.website
naddafornadda.com
drbtcbtc.com
turbrun.com
autounion999370.top
wirewizardselectric.net
0757hunyin.net
researchforhighschool.com
thedivorcesurvivalguide.com
emeraldsurrogatefabric.com
home-repair-contractors-kfm.xyz
onlynaturlpt.shop
agiletzal.site
dylanmoranrules.com
ngbbvuhkm5.asia
proveedorafrac.com
pho3nixkidsghana.com
greatfightcompany.com
hotnerdsg.com
thecolourgrey.com
librarylatte.com
videomademagic.com
coinrun.net
cnoszirzbkaqz.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2704-38-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2704-41-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/748-43-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1648 EQNEDT32.EXE 7 1648 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
nell56789.scrnell56789.scrpid process 2984 nell56789.scr 2704 nell56789.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1648 EQNEDT32.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
nell56789.scrnell56789.scrwininit.exedescription pid process target process PID 2984 set thread context of 2704 2984 nell56789.scr nell56789.scr PID 2704 set thread context of 1388 2704 nell56789.scr Explorer.EXE PID 2704 set thread context of 1388 2704 nell56789.scr Explorer.EXE PID 748 set thread context of 1388 748 wininit.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1712 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
nell56789.scrwininit.exepid process 2704 nell56789.scr 2704 nell56789.scr 2704 nell56789.scr 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe 748 wininit.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
nell56789.scrwininit.exepid process 2704 nell56789.scr 2704 nell56789.scr 2704 nell56789.scr 2704 nell56789.scr 748 wininit.exe 748 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
nell56789.scrwininit.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2704 nell56789.scr Token: SeDebugPrivilege 748 wininit.exe Token: SeShutdownPrivilege 1388 Explorer.EXE Token: SeShutdownPrivilege 1388 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1712 WINWORD.EXE 1712 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEnell56789.scrWINWORD.EXEnell56789.scrwininit.exedescription pid process target process PID 1648 wrote to memory of 2984 1648 EQNEDT32.EXE nell56789.scr PID 1648 wrote to memory of 2984 1648 EQNEDT32.EXE nell56789.scr PID 1648 wrote to memory of 2984 1648 EQNEDT32.EXE nell56789.scr PID 1648 wrote to memory of 2984 1648 EQNEDT32.EXE nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 2984 wrote to memory of 2704 2984 nell56789.scr nell56789.scr PID 1712 wrote to memory of 1216 1712 WINWORD.EXE splwow64.exe PID 1712 wrote to memory of 1216 1712 WINWORD.EXE splwow64.exe PID 1712 wrote to memory of 1216 1712 WINWORD.EXE splwow64.exe PID 1712 wrote to memory of 1216 1712 WINWORD.EXE splwow64.exe PID 2704 wrote to memory of 748 2704 nell56789.scr wininit.exe PID 2704 wrote to memory of 748 2704 nell56789.scr wininit.exe PID 2704 wrote to memory of 748 2704 nell56789.scr wininit.exe PID 2704 wrote to memory of 748 2704 nell56789.scr wininit.exe PID 748 wrote to memory of 2332 748 wininit.exe cmd.exe PID 748 wrote to memory of 2332 748 wininit.exe cmd.exe PID 748 wrote to memory of 2332 748 wininit.exe cmd.exe PID 748 wrote to memory of 2332 748 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\nell.rtf"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1216
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2668
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2148
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2240
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2864
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2184
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2360
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1896
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:580
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2580
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2692
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2928
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2064
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2932
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3040
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1192
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\nell56789.scr"C:\Users\Admin\AppData\Roaming\nell56789.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Roaming\nell56789.scr"C:\Users\Admin\AppData\Roaming\nell56789.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\nell56789.scr"5⤵PID:2332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5de3031d0e18ddfb08b5ed543fbf5e138
SHA1f245502af4efe21e20db08bc3b0cd9e603e38a8d
SHA2561c4b548960023f29693ef3b72779365f82bd94cc09100548a174183e4642649d
SHA51283f2c137bcd3e05e5bb08aa18e65c491f264bf2def9875486b0cfae6c07ae02fd500e830400eaf32cce6034738165fdcc18dfd73ad0f173d7077d9d2c5630223
-
Filesize
617KB
MD5bbb12cd2696ac986ad79c0116da987f4
SHA1802f65e20825ee6b2b5074e6084bc284241278d8
SHA256d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e
SHA512318e885d898a42b2751d387ba48b6fb359d3665d18637de48f35a53ea525bccbd1d9175a1f0429051d0a714ee887900ad3577db36d31d65f89ba7fb185484911