Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-08-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
Resource
win10v2004-20240802-en
General
-
Target
newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf
-
Size
88KB
-
MD5
02d3b93c00b013f2eb2754e469cb23e2
-
SHA1
f5851bc2be976e9e68269b46a90deaa0ca8e6c11
-
SHA256
d55b76f0fe17bfad915babdae492f466987ee515f21150b6666fa276aa95774d
-
SHA512
7279328ec46219ac9eec1bc4c881fbaa86ed79eb813bac293d7760a8b83b2859c4f7d22e071f3734a16aad19416fed13c107fce8faf5a3bc844fe75bce373b69
-
SSDEEP
768:FCfB5RIvn0YGd7/qvYzI84zl2xvIzEJSeT/BZWd:FCxIi7/jzI84zlcvIwJSMMd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
odbcconf.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2024 2340 odbcconf.exe WINWORD.EXE -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 316 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
fodhelper.exepid process 2728 fodhelper.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEodbcconf.exepid process 316 EQNEDT32.EXE 2024 odbcconf.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\fodhelper.exe autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fodhelper.exesvchost.exeodbcconf.exedescription pid process target process PID 2728 set thread context of 2648 2728 fodhelper.exe svchost.exe PID 2648 set thread context of 2340 2648 svchost.exe WINWORD.EXE PID 2648 set thread context of 2024 2648 svchost.exe odbcconf.exe PID 2024 set thread context of 2340 2024 odbcconf.exe WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEfodhelper.exeodbcconf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fodhelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcconf.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
odbcconf.exedescription ioc process Key created \Registry\User\S-1-5-21-2958949473-3205530200-1453100116-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 odbcconf.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2340 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svchost.exeodbcconf.exepid process 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2024 odbcconf.exe 2024 odbcconf.exe 2024 odbcconf.exe 2024 odbcconf.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
fodhelper.exesvchost.exeWINWORD.EXEodbcconf.exepid process 2728 fodhelper.exe 2648 svchost.exe 2340 WINWORD.EXE 2340 WINWORD.EXE 2024 odbcconf.exe 2024 odbcconf.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
fodhelper.exepid process 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
fodhelper.exepid process 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe 2728 fodhelper.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2340 WINWORD.EXE 2340 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EQNEDT32.EXEfodhelper.exeWINWORD.EXEdescription pid process target process PID 316 wrote to memory of 2728 316 EQNEDT32.EXE fodhelper.exe PID 316 wrote to memory of 2728 316 EQNEDT32.EXE fodhelper.exe PID 316 wrote to memory of 2728 316 EQNEDT32.EXE fodhelper.exe PID 316 wrote to memory of 2728 316 EQNEDT32.EXE fodhelper.exe PID 2728 wrote to memory of 2648 2728 fodhelper.exe svchost.exe PID 2728 wrote to memory of 2648 2728 fodhelper.exe svchost.exe PID 2728 wrote to memory of 2648 2728 fodhelper.exe svchost.exe PID 2728 wrote to memory of 2648 2728 fodhelper.exe svchost.exe PID 2728 wrote to memory of 2648 2728 fodhelper.exe svchost.exe PID 2340 wrote to memory of 2088 2340 WINWORD.EXE splwow64.exe PID 2340 wrote to memory of 2088 2340 WINWORD.EXE splwow64.exe PID 2340 wrote to memory of 2088 2340 WINWORD.EXE splwow64.exe PID 2340 wrote to memory of 2088 2340 WINWORD.EXE splwow64.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe PID 2340 wrote to memory of 2024 2340 WINWORD.EXE odbcconf.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\newthingsareintheonethewaytogetthebackbuttersochbuttersweetnesswithentireoprocessaneedgoodthingstoge.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2088
-
C:\Windows\SysWOW64\odbcconf.exe"C:\Windows\SysWOW64\odbcconf.exe"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2024
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\fodhelper.exe"C:\Users\Admin\AppData\Roaming\fodhelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Roaming\fodhelper.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5f6b813ab6e2b5020a114881a40ef96d5
SHA1b24c9c40119b5cf7991391dfb686fa17c4fa75d7
SHA256a536c415abf892bc4bce6226c7aa7f8672f6bcd6397dda834076c189051ce3df
SHA512854d9dc0713fdaae258d577fbe3ca1d72ba34abb1006a75351240e89d82a2450c46a1e6749843568ee59f488f30d35a473088e5a17d30994254cfff9c2d1dd83
-
Filesize
557KB
MD5d113a47c6ac162a76d78c817aeb57755
SHA1f301cea25c2032dd67ffbd21242b209f0ee70ee2
SHA256bae32df8fa24a3e55bcc1591e09918259173f870090e2ae775509edb8b893eb4
SHA512ba64e248ee75fa43cae60c1e0815c512f89eabc140b35aa696d428a3f5d328db04981c0f500b78211bbfd9087ba678328c8ad63ac51249062900693a1d399178
-
Filesize
1.2MB
MD5fcb34a54159d0de7cb5fa2fae1c82e72
SHA1cdd24b1c4a485af65e7b9f27445a3d1a84c67a84
SHA2561cc966797759658cf1d26bf74c88c5d41ee52f0461676de7877060a03ed7e17c
SHA512827c2c4ad08295abc6ed567f72cdddf0a63f7bbcedc7e24195cd985f79203d736aaa22e583c8e0d6595f8f72c5f006bac2602fc9cc6b12ad03cddfa1927b0b95
-
Filesize
1.1MB
MD5f55e5766477de5997da50f12c9c74c91
SHA14dc98900a887be95411f07b9e597c57bdc7dbab3
SHA25690be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69
SHA512983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05