Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 09:24
Static task
static1
Behavioral task
behavioral1
Sample
Orderfor july.xlsx
Resource
win7
Behavioral task
behavioral2
Sample
Orderfor july.xlsx
Resource
win10v200430
General
-
Target
Orderfor july.xlsx
-
Size
14KB
-
MD5
d27eeb485092524e4b2080ec1260da80
-
SHA1
ea9031e9ffdefbcd760ca2dcc8f5c7015e113b51
-
SHA256
f58398d719869f9ce7478274ee24fe8c714184d37289efc2496c0ba52c64e0ce
-
SHA512
23f5b1089624c01804a7aec893c6a465f028347be52ff78d0505e38b847e2537a6ccebb65e01a1d9aa45cb4a1fbb60e06d34d182203dfd38169729e169f22a7f
Malware Config
Signatures
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
Explorer.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
regasms.exeregasms.exeraserver.exepid Process 1760 regasms.exe 1880 regasms.exe 1880 regasms.exe 1880 regasms.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
raserver.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer raserver.exe -
Processes:
raserver.exedescription ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 1492 EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid Process 336 EQNEDT32.EXE 336 EQNEDT32.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
regasms.exeregasms.exeraserver.exepid Process 1760 regasms.exe 1880 regasms.exe 1880 regasms.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe 1920 raserver.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
regasms.exeregasms.exeraserver.exedescription pid Process procid_target PID 1760 set thread context of 1880 1760 regasms.exe 28 PID 1880 set thread context of 1228 1880 regasms.exe 20 PID 1920 set thread context of 1228 1920 raserver.exe 20 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regasms.exeraserver.exedescription pid Process Token: SeDebugPrivilege 1880 regasms.exe Token: SeDebugPrivilege 1920 raserver.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc Process File opened for modification C:\Program Files (x86)\Dnnux\igfxefg8.exe raserver.exe -
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid Process 5 336 EQNEDT32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEregasms.exeExplorer.EXEraserver.exedescription pid Process procid_target PID 336 wrote to memory of 1760 336 EQNEDT32.EXE 27 PID 336 wrote to memory of 1760 336 EQNEDT32.EXE 27 PID 336 wrote to memory of 1760 336 EQNEDT32.EXE 27 PID 336 wrote to memory of 1760 336 EQNEDT32.EXE 27 PID 1760 wrote to memory of 1880 1760 regasms.exe 28 PID 1760 wrote to memory of 1880 1760 regasms.exe 28 PID 1760 wrote to memory of 1880 1760 regasms.exe 28 PID 1760 wrote to memory of 1880 1760 regasms.exe 28 PID 1228 wrote to memory of 1920 1228 Explorer.EXE 30 PID 1228 wrote to memory of 1920 1228 Explorer.EXE 30 PID 1228 wrote to memory of 1920 1228 Explorer.EXE 30 PID 1228 wrote to memory of 1920 1228 Explorer.EXE 30 PID 1920 wrote to memory of 1648 1920 raserver.exe 31 PID 1920 wrote to memory of 1648 1920 raserver.exe 31 PID 1920 wrote to memory of 1648 1920 raserver.exe 31 PID 1920 wrote to memory of 1648 1920 raserver.exe 31 PID 1920 wrote to memory of 2020 1920 raserver.exe 33 PID 1920 wrote to memory of 2020 1920 raserver.exe 33 PID 1920 wrote to memory of 2020 1920 raserver.exe 33 PID 1920 wrote to memory of 2020 1920 raserver.exe 33 PID 1920 wrote to memory of 2020 1920 raserver.exe 33 -
Executes dropped EXE 2 IoCs
Processes:
regasms.exeregasms.exepid Process 1760 regasms.exe 1880 regasms.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Explorer.EXEpid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8PBXNJQ8OLP = "C:\\Program Files (x86)\\Dnnux\\igfxefg8.exe" raserver.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid Process 1492 EXCEL.EXE 1492 EXCEL.EXE 1492 EXCEL.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1228 -
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orderfor july.xlsx"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1492
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious behavior: MapViewOfSection
- System policy modification
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Adds Run entry to policy start application
PID:1920 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\regasms.exe"3⤵PID:1648
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2020
-
-
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Loads dropped DLL
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Roaming\regasms.exeC:\Users\Admin\AppData\Roaming\regasms.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1760 -
C:\Users\Admin\AppData\Roaming\regasms.exeC:\Users\Admin\AppData\Roaming\regasms.exe3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1880
-
-