Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-11-2020 18:06
Static task
static1
Behavioral task
behavioral1
Sample
main.file.rtf
Resource
win7v20201028
General
-
Target
main.file.rtf
-
Size
675KB
-
MD5
91c96924f79fe35471bf3a910e5b50d8
-
SHA1
209edea3cc34d3b65240a5a6e8c969287efae79c
-
SHA256
e3be9192477e43ad94b16f4c0a9775adf9019172c0c89712907a8f9a1680100c
-
SHA512
bbacbf2de97b05c25762e94afbdcba550f0e0e2b5e794526344a8e31b0e7dc988049eac686a247b1002d06f1e4e083c84cd348e07848b979f2615682ea3af72a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rekeywiz.exepid process 1700 rekeywiz.exe -
Loads dropped DLL 3 IoCs
Processes:
rekeywiz.exepid process 1700 rekeywiz.exe 1700 rekeywiz.exe 1700 rekeywiz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EQNEDT32.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sync = "C:\\ProgramData\\SyncFiles\\rekeywiz.exe" EQNEDT32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Processes:
rekeywiz.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rekeywiz.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rekeywiz.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1068 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1068 WINWORD.EXE 1068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEtaskeng.exedescription pid process target process PID 1984 wrote to memory of 1708 1984 EQNEDT32.EXE schtasks.exe PID 1984 wrote to memory of 1708 1984 EQNEDT32.EXE schtasks.exe PID 1984 wrote to memory of 1708 1984 EQNEDT32.EXE schtasks.exe PID 1984 wrote to memory of 1708 1984 EQNEDT32.EXE schtasks.exe PID 1068 wrote to memory of 1340 1068 WINWORD.EXE splwow64.exe PID 1068 wrote to memory of 1340 1068 WINWORD.EXE splwow64.exe PID 1068 wrote to memory of 1340 1068 WINWORD.EXE splwow64.exe PID 1068 wrote to memory of 1340 1068 WINWORD.EXE splwow64.exe PID 1900 wrote to memory of 1700 1900 taskeng.exe rekeywiz.exe PID 1900 wrote to memory of 1700 1900 taskeng.exe rekeywiz.exe PID 1900 wrote to memory of 1700 1900 taskeng.exe rekeywiz.exe PID 1900 wrote to memory of 1700 1900 taskeng.exe rekeywiz.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\main.file.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1340
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Adds Run key to start application
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn "UpdateService" /sc once /tr "C:\ProgramData\SyncFiles\rekeywiz.exe" /st 18:122⤵
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\taskeng.exetaskeng.exe {05628EDE-E4A8-49AD-B3E9-D3738631E5C6} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\ProgramData\SyncFiles\rekeywiz.exeC:\ProgramData\SyncFiles\rekeywiz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SyncFiles\5oD1GtY.tmpMD5
f8847f6502005fce7afc9ccc80882e9f
SHA1ab0a3792a8161b25f528a4d5018aa3a3add87d81
SHA256ebd1624b6542d80e786a510e96636589a76caf2d2e7f93066dccf264b218466c
SHA512c4b87705a150f27620b97709c6cf11992489bb718fed717cbd4eb053d7e8cbbbc1cd76342538affab72441cc8520636986f5aef5da2463b22ad9eb06af6f5cf2
-
C:\ProgramData\SyncFiles\DUser.dllMD5
8c1f5356a3cfc8359fca3a8c1f1f4800
SHA13a0242706fcbdfa175758f438671d0069d89c5f2
SHA25608942e3360e16dd1759ad8faf956e52afe4a4d943e8e1d0a4ffa5b2526d8ec7a
SHA512a3111d1671374a9b01994cc51959b0e313e87c85c2a7e4470dcbf9b72c7295a770533f96f12bb9c5da0b7ac1664764cf412fb3bcb3be65137148ef6425596d42
-
C:\ProgramData\SyncFiles\rekeywiz.exeMD5
082ed4a73761682f897ea1d7f4529f69
SHA14f77bda9714d009b16e6a13f88b3e12caf0a779d
SHA256fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850
SHA512372c93f63dfeb75de4a1c80f711733efabee635eaa1dfd0a955cae5fd40ba2a3fba8f6ae020cf3b7bb8ccc756fa71a98012be0a328a71c2ba1b4d2b7a0935632
-
C:\ProgramData\SyncFiles\rekeywiz.exeMD5
082ed4a73761682f897ea1d7f4529f69
SHA14f77bda9714d009b16e6a13f88b3e12caf0a779d
SHA256fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850
SHA512372c93f63dfeb75de4a1c80f711733efabee635eaa1dfd0a955cae5fd40ba2a3fba8f6ae020cf3b7bb8ccc756fa71a98012be0a328a71c2ba1b4d2b7a0935632
-
C:\ProgramData\SyncFiles\rekeywiz.exe.configMD5
70ecd7e0bdf8f8d01f7f58be6525e079
SHA178146939a0a921ac2bcfc5a0ae39705614bc000e
SHA256b1fa0771099733e7a9fa296acc7518c1e36c4e473b59eec7acbfb89d80252757
SHA512ed98814c339f50331ea0a80986821aea32b99adf965d6103aa156a655cb201a33dd16fd084432382ea4144ccee41f071c204213bf74324b602daf8d6346780fc
-
C:\Users\Admin\AppData\Local\Temp\1.aMD5
bb320006edafb610bdecd3f591e7d074
SHA1aec6f3bc1132f28fe8940d5941adff7fb3505a48
SHA256a79e35753a6c764527b4994a38a2df07f890815e57a00aee80de0d89a036366b
SHA512024660939a06a286696ed6eaf3ddea55a73b324b00f911634bb9f760f2982a068ae19145601abb001dddfc53f9827f6ca30ff57c55431826621e24139f119d8f
-
\ProgramData\SyncFiles\Duser.dllMD5
8c1f5356a3cfc8359fca3a8c1f1f4800
SHA13a0242706fcbdfa175758f438671d0069d89c5f2
SHA25608942e3360e16dd1759ad8faf956e52afe4a4d943e8e1d0a4ffa5b2526d8ec7a
SHA512a3111d1671374a9b01994cc51959b0e313e87c85c2a7e4470dcbf9b72c7295a770533f96f12bb9c5da0b7ac1664764cf412fb3bcb3be65137148ef6425596d42
-
\ProgramData\SyncFiles\Duser.dllMD5
8c1f5356a3cfc8359fca3a8c1f1f4800
SHA13a0242706fcbdfa175758f438671d0069d89c5f2
SHA25608942e3360e16dd1759ad8faf956e52afe4a4d943e8e1d0a4ffa5b2526d8ec7a
SHA512a3111d1671374a9b01994cc51959b0e313e87c85c2a7e4470dcbf9b72c7295a770533f96f12bb9c5da0b7ac1664764cf412fb3bcb3be65137148ef6425596d42
-
\ProgramData\SyncFiles\Duser.dllMD5
8c1f5356a3cfc8359fca3a8c1f1f4800
SHA13a0242706fcbdfa175758f438671d0069d89c5f2
SHA25608942e3360e16dd1759ad8faf956e52afe4a4d943e8e1d0a4ffa5b2526d8ec7a
SHA512a3111d1671374a9b01994cc51959b0e313e87c85c2a7e4470dcbf9b72c7295a770533f96f12bb9c5da0b7ac1664764cf412fb3bcb3be65137148ef6425596d42
-
memory/1340-2-0x0000000000000000-mapping.dmp
-
memory/1700-4-0x0000000000000000-mapping.dmp
-
memory/1708-1-0x0000000000000000-mapping.dmp