Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-08-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
Resource
win10v2004-20240802-en
General
-
Target
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
-
Size
88KB
-
MD5
02d3b93c00b013f2eb2754e469cb23e2
-
SHA1
f5851bc2be976e9e68269b46a90deaa0ca8e6c11
-
SHA256
d55b76f0fe17bfad915babdae492f466987ee515f21150b6666fa276aa95774d
-
SHA512
7279328ec46219ac9eec1bc4c881fbaa86ed79eb813bac293d7760a8b83b2859c4f7d22e071f3734a16aad19416fed13c107fce8faf5a3bc844fe75bce373b69
-
SSDEEP
768:FCfB5RIvn0YGd7/qvYzI84zl2xvIzEJSeT/BZWd:FCxIi7/jzI84zlcvIwJSMMd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
odbcconf.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2676 2056 odbcconf.exe WINWORD.EXE -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2540 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
fodhelper.exepid process 2996 fodhelper.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2540 EQNEDT32.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\fodhelper.exe autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fodhelper.exesvchost.exeodbcconf.exedescription pid process target process PID 2996 set thread context of 2632 2996 fodhelper.exe svchost.exe PID 2632 set thread context of 2056 2632 svchost.exe WINWORD.EXE PID 2632 set thread context of 2676 2632 svchost.exe odbcconf.exe PID 2676 set thread context of 2056 2676 odbcconf.exe WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEfodhelper.exeodbcconf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcconf.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
odbcconf.exedescription ioc process Key created \Registry\User\S-1-5-21-3450744190-3404161390-554719085-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 odbcconf.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svchost.exeodbcconf.exepid process 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2676 odbcconf.exe 2676 odbcconf.exe 2676 odbcconf.exe 2676 odbcconf.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
fodhelper.exesvchost.exeWINWORD.EXEodbcconf.exepid process 2996 fodhelper.exe 2632 svchost.exe 2056 WINWORD.EXE 2056 WINWORD.EXE 2676 odbcconf.exe 2676 odbcconf.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
fodhelper.exepid process 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
fodhelper.exepid process 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe 2996 fodhelper.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2056 WINWORD.EXE 2056 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEfodhelper.exeWINWORD.EXEdescription pid process target process PID 2540 wrote to memory of 2996 2540 EQNEDT32.EXE fodhelper.exe PID 2540 wrote to memory of 2996 2540 EQNEDT32.EXE fodhelper.exe PID 2540 wrote to memory of 2996 2540 EQNEDT32.EXE fodhelper.exe PID 2540 wrote to memory of 2996 2540 EQNEDT32.EXE fodhelper.exe PID 2996 wrote to memory of 2632 2996 fodhelper.exe svchost.exe PID 2996 wrote to memory of 2632 2996 fodhelper.exe svchost.exe PID 2996 wrote to memory of 2632 2996 fodhelper.exe svchost.exe PID 2996 wrote to memory of 2632 2996 fodhelper.exe svchost.exe PID 2996 wrote to memory of 2632 2996 fodhelper.exe svchost.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2676 2056 WINWORD.EXE odbcconf.exe PID 2056 wrote to memory of 2888 2056 WINWORD.EXE splwow64.exe PID 2056 wrote to memory of 2888 2056 WINWORD.EXE splwow64.exe PID 2056 wrote to memory of 2888 2056 WINWORD.EXE splwow64.exe PID 2056 wrote to memory of 2888 2056 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\odbcconf.exe"C:\Windows\SysWOW64\odbcconf.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2888
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Roaming\fodhelper.exe"C:\Users\Admin\AppData\Roaming\fodhelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Roaming\fodhelper.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5e921554846c281f39a3204fdccdb8767
SHA14727c5f95126b0fb80d7168f6f22bdb0f18a275e
SHA256ac2bf273594fd9809fda3f56ea471e42c0535824a4497da2a54e65edb8101c6c
SHA512d7cb744bbb8dde3245557f2d79af95c821491d11ca7a3e535484cc8fe22d50c496e52e45085867a19e46c108dc95d2b26ef818dc5f27a41d77a081814889b3aa
-
Filesize
1.3MB
MD596f2e6c4838b8b4b406bf2dfb49d5788
SHA1d318cfe2d0264e30d2575ac72594baa5a56eef84
SHA2562c4d8b09e22c2808778be4086e8482dddeeea90ec1954ba3fbec284585b6f581
SHA51243e013dececde531df5eb60d04aee86437bbba9e4b9ccd8c2aea540d16f6530262eec79a8754023721e562d26a3d468fe236550ed7e94e880f9601dd8642eb7c