formbook | 2e155653e55de265cfccc7878ca28f97a81a5aaa53ce70220d2480987dbe210b

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4df520118d965fb2ab0bde1dcc09ff3_JaffaCakes118.rtf
Size

730KB
MD5

c4df520118d965fb2ab0bde1dcc09ff3
SHA1

ef4144775c594a5b327c07c303a05d80a02be2a6
SHA256

2e155653e55de265cfccc7878ca28f97a81a5aaa53ce70220d2480987dbe210b
SHA512

c556c0794fd1b8a7dcedce0e6c865e9a98314a262b982558d7e1af9872968f2173c2f73e7942d77210fbbcf43ba26902ad5658bb14d3b1b26bb80c895b5b4080
SSDEEP

12288:/OMm3F8MGhjSyUo7sIcnfDETcX8jf0NLOQL8Iunvmqe:3m1rGhj09IcfATw8jfMLXYnvml

Score

10^/10

formbook ch52 credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch52

Decoy

olyzee.com

fulguropop.com

oceancountybankruptcylawyer.com

rmrwoods.com

jiegenghualang.com

strongshopping.net

bestifwest.com

ruggedcrossmusic.net

sveja.gmbh

smoothrepairs.info

viemmaotinhhoan.com

thebalancedlifecenter.com

863bifa.com

waldospost.com

tripsinpano.com

usvxhr.loan

sibillaonceuponatimeisnow.com

yodatironil.com

ib-habibmetro.com

dulcescreativos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2684	2180	cmd.exe	29
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2616	2180	cmd.exe	29

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1488-74-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1488-79-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YXSDLRU8N = "C:\\Program Files (x86)\\Badil_rg\\gdiafih1.exe"	NETSTAT.EXE

Executes dropped EXE 2 IoCs

pid	Process
796	exe.exe
1488	exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2624	cmd.exe
2624	cmd.exe
796	exe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 1488	796	exe.exe	67
PID 1488 set thread context of 1208	1488	exe.exe	21
PID 2016 set thread context of 1208	2016	NETSTAT.EXE	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Badil_rg\gdiafih1.exe	NETSTAT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2716	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2016	NETSTAT.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1176	taskkill.exe

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2764	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2180	WINWORD.EXE
2952	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1488	exe.exe
1488	exe.exe
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE
2016	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1488	exe.exe
1488	exe.exe
1488	exe.exe
2016	NETSTAT.EXE
2016	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1488	exe.exe
Token: SeDebugPrivilege	2016	NETSTAT.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
796	exe.exe
796	exe.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
796	exe.exe
796	exe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2180	WINWORD.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
796	exe.exe
2952	WINWORD.EXE
2952	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2684	2180	WINWORD.EXE	30
PID 2180 wrote to memory of 2684	2180	WINWORD.EXE	30
PID 2180 wrote to memory of 2684	2180	WINWORD.EXE	30
PID 2180 wrote to memory of 2684	2180	WINWORD.EXE	30
PID 2684 wrote to memory of 2624	2684	cmd.exe	32
PID 2684 wrote to memory of 2624	2684	cmd.exe	32
PID 2684 wrote to memory of 2624	2684	cmd.exe	32
PID 2684 wrote to memory of 2624	2684	cmd.exe	32
PID 2180 wrote to memory of 2616	2180	WINWORD.EXE	33
PID 2180 wrote to memory of 2616	2180	WINWORD.EXE	33
PID 2180 wrote to memory of 2616	2180	WINWORD.EXE	33
PID 2180 wrote to memory of 2616	2180	WINWORD.EXE	33
PID 2624 wrote to memory of 2716	2624	cmd.exe	35
PID 2624 wrote to memory of 2716	2624	cmd.exe	35
PID 2624 wrote to memory of 2716	2624	cmd.exe	35
PID 2624 wrote to memory of 2716	2624	cmd.exe	35
PID 2764 wrote to memory of 2228	2764	EQNEDT32.EXE	37
PID 2764 wrote to memory of 2228	2764	EQNEDT32.EXE	37
PID 2764 wrote to memory of 2228	2764	EQNEDT32.EXE	37
PID 2764 wrote to memory of 2228	2764	EQNEDT32.EXE	37
PID 2624 wrote to memory of 796	2624	cmd.exe	39
PID 2624 wrote to memory of 796	2624	cmd.exe	39
PID 2624 wrote to memory of 796	2624	cmd.exe	39
PID 2624 wrote to memory of 796	2624	cmd.exe	39
PID 2624 wrote to memory of 1176	2624	cmd.exe	40
PID 2624 wrote to memory of 1176	2624	cmd.exe	40
PID 2624 wrote to memory of 1176	2624	cmd.exe	40
PID 2624 wrote to memory of 1176	2624	cmd.exe	40
PID 2624 wrote to memory of 2428	2624	cmd.exe	42
PID 2624 wrote to memory of 2428	2624	cmd.exe	42
PID 2624 wrote to memory of 2428	2624	cmd.exe	42
PID 2624 wrote to memory of 2428	2624	cmd.exe	42
PID 2624 wrote to memory of 1588	2624	cmd.exe	43
PID 2624 wrote to memory of 1588	2624	cmd.exe	43
PID 2624 wrote to memory of 1588	2624	cmd.exe	43
PID 2624 wrote to memory of 1588	2624	cmd.exe	43
PID 2624 wrote to memory of 2280	2624	cmd.exe	44
PID 2624 wrote to memory of 2280	2624	cmd.exe	44
PID 2624 wrote to memory of 2280	2624	cmd.exe	44
PID 2624 wrote to memory of 2280	2624	cmd.exe	44
PID 2624 wrote to memory of 2208	2624	cmd.exe	45
PID 2624 wrote to memory of 2208	2624	cmd.exe	45
PID 2624 wrote to memory of 2208	2624	cmd.exe	45
PID 2624 wrote to memory of 2208	2624	cmd.exe	45
PID 2624 wrote to memory of 2040	2624	cmd.exe	46
PID 2624 wrote to memory of 2040	2624	cmd.exe	46
PID 2624 wrote to memory of 2040	2624	cmd.exe	46
PID 2624 wrote to memory of 2040	2624	cmd.exe	46
PID 2624 wrote to memory of 1440	2624	cmd.exe	47
PID 2624 wrote to memory of 1440	2624	cmd.exe	47
PID 2624 wrote to memory of 1440	2624	cmd.exe	47
PID 2624 wrote to memory of 1440	2624	cmd.exe	47
PID 2624 wrote to memory of 2100	2624	cmd.exe	48
PID 2624 wrote to memory of 2100	2624	cmd.exe	48
PID 2624 wrote to memory of 2100	2624	cmd.exe	48
PID 2624 wrote to memory of 2100	2624	cmd.exe	48
PID 2624 wrote to memory of 2564	2624	cmd.exe	49
PID 2624 wrote to memory of 2564	2624	cmd.exe	49
PID 2624 wrote to memory of 2564	2624	cmd.exe	49
PID 2624 wrote to memory of 2564	2624	cmd.exe	49
PID 2624 wrote to memory of 2664	2624	cmd.exe	50
PID 2624 wrote to memory of 2664	2624	cmd.exe	50
PID 2624 wrote to memory of 2664	2624	cmd.exe	50
PID 2624 wrote to memory of 2664	2624	cmd.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c4df520118d965fb2ab0bde1dcc09ff3_JaffaCakes118.rtf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:796
      - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SelectClose.docx"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        6⤵
        
        PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    - System Location Discovery: System Language Discovery
    PID:2616
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %tmp%\task.bat & UUUUUUUUc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
76c94647524188152c6488600cc438b0

SHA1
7ad2e8fb058e9c49bb24585ec4e55ee245f583ac

SHA256
3b15e835ec20c66ffebdd3486cd8673c833e07ff2816bec17fa8b1343e6cad7b

SHA512
53da7e38aea99dd6fe0861f8394bcf75f3d10b56ed682d8707ea41846a56f281e230acd2765dd5001445b0ac382f55a80b229dbd0b855100d267ef56a968f0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoy.doc

Filesize
6KB

MD5
8aa714246a60b5b7d089acecd067ce15

SHA1
3c67faddddb34c6d7f5db3d57df8ff8e9228cd12

SHA256
818ebeca60e982c7c5af9821e8677b0e6e730c9fbeac1ad6fed5164d87b5cb3f

SHA512
1e49b62c9b56c0b2d5073005ec3f735529bb5ef2424c51bcadf3b75dddc89247183f9aa53de32ae87c734f711473842a222652ed62082b1ab07768e47fbf14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
423B

MD5
2c312feccc1087e26067d94cded6f651

SHA1
985be5e82d80e1e941cb551cfba8fef800c2b577

SHA256
4a33e3c5702d9da4913293a836b10ff6b9e136952e3d72f253f1c5183f4d1c8d

SHA512
38fbc600251b5791fbff775ffd702d175c5f45525f0914d44acea7ac71e7670b71acd9a9ebb4369573c8202d10a4b90a2c753bf456e1712a43d8dcf7c4d40949

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
154B

MD5
c6df97bd319c2e2b887d5de476623737

SHA1
41a7fdf29b42950b3a076ad46c78b48bb3874140

SHA256
8c629d6202f6084f4100920659d623364a4bf01fad652b121148a9a3ff739da0

SHA512
5bce66c71d2e2dcdda82fb9b9596a20fa77d06afcc5de82a7ab34b3945c48559301158eff86606200c784a1c84b088684b1aa4443b52bf6069b78b60f48b8524

Download Submit
C:\Users\Admin\AppData\Roaming\4NPR35D0\4NPlogim.jpeg

Filesize
57KB

MD5
e01de21967f475bc65e0c4726df40b36

SHA1
7304e06f9516595042e6eea80166d529cfe4ad0f

SHA256
154118a0e5ec4936c132c0121e78ffac6dde5df29700325305459c5ef42fc8e8

SHA512
15aff5828e66668af4cc94a56d95581fbfd1040bbc1e1dedfccf62b76f80ea9517b8ccda55c528ab5347907411399275e90120b1ad892ffc6097a31491961439

Download Submit
C:\Users\Admin\AppData\Roaming\4NPR35D0\4NPlogri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\4NPR35D0\4NPlogrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
267B

MD5
26478946074f9a79ff396a1f9fadf5f9

SHA1
c7f69b0aac35e1d48cebcff58518c336721587ba

SHA256
142cbf8890437b59c65147c7756b01b566674c65d371873d163543cc034c04da

SHA512
c991982ed9a753a636c586930ba31e26c7fc3c579c72eb33f288e1a0742a8ab01cd262df4c157c482a0fc19e7c81079e272a42cc2c2aa5eaa7541af3a89e2598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d59f52a06ceeabddf94aab220fab07d3

SHA1
86ee3c487c4b2091995140807363aa2d020e66d5

SHA256
b6d86a34262e545192a744e882e5b367e6aee706104ed0fd137823fc76690d14

SHA512
bfb60aa9c5ea01d09a16b894574f7a89c6231e057869ed8caa071c06453eaacc50fd657fa85936f81943b4ce95649c25eb0a6190e07f1bc777d399a73eda1fac

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
344KB

MD5
504d25fef898915763a73f2614fe3e78

SHA1
90bf1b04a7961f9d8ba9bfb413592b3b0ffac65d

SHA256
c8fc848226cee9df72c1bad0549edbc93eb62dc71edbd7e13396fac40b00737a

SHA512
4875679d712ee70fd03598372756548b1033a2521129c657d8bbc7b2e4f3e7aa38c24f12453f1b17a719e30cbb58922926f83c112876edba366be0d19dbfc25e

Download Submit
memory/1208-77-0x00000000044D0000-0x00000000046D0000-memory.dmp

Filesize
2.0MB

Download
memory/1208-85-0x0000000007030000-0x000000000718C000-memory.dmp

Filesize
1.4MB

Download
memory/1488-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1488-79-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2016-81-0x0000000000C60000-0x0000000000C69000-memory.dmp

Filesize
36KB

Download
memory/2180-0-0x000000002FE11000-0x000000002FE12000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2180-2-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

Filesize
44KB

Download
memory/2180-41-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

Filesize
44KB

Download
memory/2952-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2952-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download