formbook | 6cb226cb2bc243d2b6b0421624a03ef846377b4527df1bc908b76f7b2a871f6d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eddd6ccb6801986267e55fc7a676aeb4_JaffaCakes118.rtf
Size

814KB
MD5

eddd6ccb6801986267e55fc7a676aeb4
SHA1

a0b02e09425f5a21b0936d9de18703a7b2e858a5
SHA256

6cb226cb2bc243d2b6b0421624a03ef846377b4527df1bc908b76f7b2a871f6d
SHA512

5da7b04d9d61405a2420140455a9f91c5ef7ac6866eb1f15ca2641a965f4d708a50a5c38f5704ae5cc9e0303d3f5eb7933fa527df35e0966f82a12458b69cffb
SSDEEP

12288:e+WhWEyIulu5kghlYyUyY0WoXf+WMyzVodUqGHXoqYH6N79/v5kgMZ:eIRIj5kghmyvffAy2GV4PaN79/v5kgw

Score

10^/10

formbook ch36 credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch36

Decoy

hookbug.com

useicar.net

plentyofhosting.com

finalmary.win

pacwestcoastalproperties.com

prideharmonyfoundation.com

royaltakeout.com

lephare-shop.com

alphaomeganetworks.com

solistkonsilanlari.com

yj-info.net

badajozbeerlab.com

wwwjsvip9999.com

centraltexasrvpark.net

hosofb789.com

roademissions.com

toscanaristorazione.com

jrmsj.com

sweetsncandy.com

hzcrgg.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2216	2520	cmd.exe	29
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2756	2520	cmd.exe	29

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2800-65-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2800-69-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2416	exe.exe
2800	exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2464	cmd.exe
2464	cmd.exe
2416	exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XJMXNHCH5F = "C:\\Program Files (x86)\\Ol2wp7bmx\\taskhostipbxn4nh.exe"	cmmon32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2800	2416	exe.exe	68
PID 2800 set thread context of 1196	2800	exe.exe	21
PID 908 set thread context of 1196	908	cmmon32.exe	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ol2wp7bmx\taskhostipbxn4nh.exe	cmmon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2824	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2548	taskkill.exe

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2692	EQNEDT32.EXE
2672	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2520	WINWORD.EXE
3020	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2800	exe.exe
2800	exe.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe
908	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2800	exe.exe
2800	exe.exe
2800	exe.exe
908	cmmon32.exe
908	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2800	exe.exe
Token: SeDebugPrivilege	908	cmmon32.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2416	exe.exe
2416	exe.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2416	exe.exe
2416	exe.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2416	exe.exe
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2216	2520	WINWORD.EXE	30
PID 2520 wrote to memory of 2216	2520	WINWORD.EXE	30
PID 2520 wrote to memory of 2216	2520	WINWORD.EXE	30
PID 2520 wrote to memory of 2216	2520	WINWORD.EXE	30
PID 2216 wrote to memory of 2464	2216	cmd.exe	32
PID 2216 wrote to memory of 2464	2216	cmd.exe	32
PID 2216 wrote to memory of 2464	2216	cmd.exe	32
PID 2216 wrote to memory of 2464	2216	cmd.exe	32
PID 2520 wrote to memory of 2756	2520	WINWORD.EXE	33
PID 2520 wrote to memory of 2756	2520	WINWORD.EXE	33
PID 2520 wrote to memory of 2756	2520	WINWORD.EXE	33
PID 2520 wrote to memory of 2756	2520	WINWORD.EXE	33
PID 2464 wrote to memory of 2824	2464	cmd.exe	34
PID 2464 wrote to memory of 2824	2464	cmd.exe	34
PID 2464 wrote to memory of 2824	2464	cmd.exe	34
PID 2464 wrote to memory of 2824	2464	cmd.exe	34
PID 2672 wrote to memory of 2632	2672	EQNEDT32.EXE	37
PID 2672 wrote to memory of 2632	2672	EQNEDT32.EXE	37
PID 2672 wrote to memory of 2632	2672	EQNEDT32.EXE	37
PID 2672 wrote to memory of 2632	2672	EQNEDT32.EXE	37
PID 2464 wrote to memory of 2416	2464	cmd.exe	40
PID 2464 wrote to memory of 2416	2464	cmd.exe	40
PID 2464 wrote to memory of 2416	2464	cmd.exe	40
PID 2464 wrote to memory of 2416	2464	cmd.exe	40
PID 2464 wrote to memory of 2548	2464	cmd.exe	41
PID 2464 wrote to memory of 2548	2464	cmd.exe	41
PID 2464 wrote to memory of 2548	2464	cmd.exe	41
PID 2464 wrote to memory of 2548	2464	cmd.exe	41
PID 2464 wrote to memory of 2864	2464	cmd.exe	43
PID 2464 wrote to memory of 2864	2464	cmd.exe	43
PID 2464 wrote to memory of 2864	2464	cmd.exe	43
PID 2464 wrote to memory of 2864	2464	cmd.exe	43
PID 2464 wrote to memory of 2896	2464	cmd.exe	44
PID 2464 wrote to memory of 2896	2464	cmd.exe	44
PID 2464 wrote to memory of 2896	2464	cmd.exe	44
PID 2464 wrote to memory of 2896	2464	cmd.exe	44
PID 2464 wrote to memory of 3036	2464	cmd.exe	45
PID 2464 wrote to memory of 3036	2464	cmd.exe	45
PID 2464 wrote to memory of 3036	2464	cmd.exe	45
PID 2464 wrote to memory of 3036	2464	cmd.exe	45
PID 2464 wrote to memory of 3044	2464	cmd.exe	46
PID 2464 wrote to memory of 3044	2464	cmd.exe	46
PID 2464 wrote to memory of 3044	2464	cmd.exe	46
PID 2464 wrote to memory of 3044	2464	cmd.exe	46
PID 2464 wrote to memory of 2840	2464	cmd.exe	47
PID 2464 wrote to memory of 2840	2464	cmd.exe	47
PID 2464 wrote to memory of 2840	2464	cmd.exe	47
PID 2464 wrote to memory of 2840	2464	cmd.exe	47
PID 2464 wrote to memory of 3060	2464	cmd.exe	48
PID 2464 wrote to memory of 3060	2464	cmd.exe	48
PID 2464 wrote to memory of 3060	2464	cmd.exe	48
PID 2464 wrote to memory of 3060	2464	cmd.exe	48
PID 2464 wrote to memory of 3052	2464	cmd.exe	49
PID 2464 wrote to memory of 3052	2464	cmd.exe	49
PID 2464 wrote to memory of 3052	2464	cmd.exe	49
PID 2464 wrote to memory of 3052	2464	cmd.exe	49
PID 2464 wrote to memory of 1880	2464	cmd.exe	50
PID 2464 wrote to memory of 1880	2464	cmd.exe	50
PID 2464 wrote to memory of 1880	2464	cmd.exe	50
PID 2464 wrote to memory of 1880	2464	cmd.exe	50
PID 2464 wrote to memory of 2192	2464	cmd.exe	51
PID 2464 wrote to memory of 2192	2464	cmd.exe	51
PID 2464 wrote to memory of 2192	2464	cmd.exe	51
PID 2464 wrote to memory of 2192	2464	cmd.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eddd6ccb6801986267e55fc7a676aeb4_JaffaCakes118.rtf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:600
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\LimitSave.docx"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:3020
      - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        6⤵
        
        PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
    3⤵
    - Process spawned unexpected child process
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %tmp%\task.bat & UUUUUUUUc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
32a83d79acd18ac3776b3b51298d3a9f

SHA1
c2a669ac6e371c6cd3b024e114a9a5004cb81500

SHA256
4e738ef995c9c1f0d314a391e047c86439e5294d7778c6d034320d8607f9d604

SHA512
f503e6ff3089ce9cf8071e96072a576c55c61404731d70207ce137b37c7e01895b5c75b3766fd6bacfb0942a41ad8a7c0a5b7d5d0bd3b4473f6d680054b83199

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoy.doc

Filesize
191B

MD5
5d65bac473774c66544cc2f4062c9b78

SHA1
b2b606f85dd95ff2ab5bcca43966a9c4cbb372b2

SHA256
7697184623cf1ffe94e69db38ca0821d3ff2df5826af38a9f7e244f3a725b042

SHA512
853ad5701b858fd350bbf2171955d84d551260f883ccc25eb403f4b2606b6694d34c62ade98db0761da8ac3cb3250e98e19e54c3ab7c927782a3a0ed10924cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
432B

MD5
8decdcaeb92d9f628b6bf95de4c0597a

SHA1
19443ad64921ef01a77619350efcc97cd767a36b

SHA256
e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e

SHA512
d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
149B

MD5
c42b20e49a3b093e2d0c9d6b3051cfc7

SHA1
5fc1f968c7285c8b0c5f25e839e14d77df7e28f3

SHA256
83935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6

SHA512
01881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
b18db3082aff153ef523b7201311a19b

SHA1
a7cc6c5063e66230df4b91e0098f988d67164818

SHA256
c59d4844be2fd2a0facbed0d465e5b41cad1e51e2245d6fc79ccad9dc6bb4a91

SHA512
5c66276d299a3717926a46a5a61ef04766a1cce25dafe8ee004ef5cef4311105d10bfc7fd0e1f5a19065922373326e00d00fb03762b05fcf30fcc0c99261a9af

Download Submit
C:\Users\Admin\AppData\Roaming\O49QSTPA\O49logim.jpeg

Filesize
53KB

MD5
cb2802e181182732743837c072973eff

SHA1
3312ee71cfe7bce4d4f2b53be9146dc528da1cd3

SHA256
e4bca566a776df3f014a0255717413b1b00f57c3ec64d411235ccd099c1fa5e8

SHA512
312274ee7427f8bb3275a4a5f77b48bdcdb44a341b9798074d52070d7bf335568110dacf6bc1059c380dc1051733dc0436d2939a633ed3d9d8088811a791711c

Download Submit
C:\Users\Admin\AppData\Roaming\O49QSTPA\O49logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\O49QSTPA\O49logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
344KB

MD5
7b28de13c86de19f47fea4a641703f19

SHA1
086c929ad01d4d35a168b69871c4929f5aa19a44

SHA256
bc5fe6f3325eae27a068067c65b6a24b4aab2f9a88c8ccf48d591260abb172c2

SHA512
faf4a4e3ab257dec28b207c6b49e6e29dfe3488923c996cd6b4983e79b95544d8d1558fc3429a0d7776e5fc0103191d7b5991e0679ecb0fe2679c189be0b8d26

Download Submit
memory/908-71-0x0000000000DB0000-0x0000000000DBD000-memory.dmp

Filesize
52KB

Download
memory/1196-75-0x0000000007620000-0x00000000077AA000-memory.dmp

Filesize
1.5MB

Download
memory/1196-68-0x0000000003A60000-0x0000000003B60000-memory.dmp

Filesize
1024KB

Download
memory/2520-2-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Filesize
44KB

Download
memory/2520-0-0x000000002F6A1000-0x000000002F6A2000-memory.dmp

Filesize
4KB

Download
memory/2520-41-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Filesize
44KB

Download
memory/2520-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2800-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2800-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3020-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download