Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 10:37
Static task
static1
Behavioral task
behavioral1
Sample
main.file.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
main.file.rtf
Resource
win10v20201028
General
-
Target
main.file.rtf
-
Size
675KB
-
MD5
1239854d603dfaf0d332ba7551d98b4e
-
SHA1
5e4070dcac6dc3601a37cfd372e38c7274a23d41
-
SHA256
9f94f61759b69060d4690bddc51bf0ff15d6c103779355b2399e039cf0b0cba7
-
SHA512
5bd991bbc46736d2201fa6cb61d9c11cf4d49ef5eb52d151452cef4c0ed42d251e643803a43e467a70c3d05911006535b24298410a4aec4a1b01608184118d24
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rekeywiz.exepid process 1960 rekeywiz.exe -
Loads dropped DLL 3 IoCs
Processes:
rekeywiz.exepid process 1960 rekeywiz.exe 1960 rekeywiz.exe 1960 rekeywiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EQNEDT32.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sync = "C:\\ProgramData\\SyncFiles\\rekeywiz.exe" EQNEDT32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEQNEDT32.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main EQNEDT32.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Processes:
rekeywiz.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rekeywiz.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rekeywiz.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1808 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1808 WINWORD.EXE 1808 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1808 WINWORD.EXE 1808 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEtaskeng.exedescription pid process target process PID 1332 wrote to memory of 1948 1332 EQNEDT32.EXE schtasks.exe PID 1332 wrote to memory of 1948 1332 EQNEDT32.EXE schtasks.exe PID 1332 wrote to memory of 1948 1332 EQNEDT32.EXE schtasks.exe PID 1332 wrote to memory of 1948 1332 EQNEDT32.EXE schtasks.exe PID 1808 wrote to memory of 436 1808 WINWORD.EXE splwow64.exe PID 1808 wrote to memory of 436 1808 WINWORD.EXE splwow64.exe PID 1808 wrote to memory of 436 1808 WINWORD.EXE splwow64.exe PID 1808 wrote to memory of 436 1808 WINWORD.EXE splwow64.exe PID 752 wrote to memory of 1960 752 taskeng.exe rekeywiz.exe PID 752 wrote to memory of 1960 752 taskeng.exe rekeywiz.exe PID 752 wrote to memory of 1960 752 taskeng.exe rekeywiz.exe PID 752 wrote to memory of 1960 752 taskeng.exe rekeywiz.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\main.file.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Adds Run key to start application
- Launches Equation Editor
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn "UpdateService" /sc once /tr "C:\ProgramData\SyncFiles\rekeywiz.exe" /st 10:472⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD861BD7-8966-4EA7-99FE-A2BD09E1600D} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\SyncFiles\rekeywiz.exeC:\ProgramData\SyncFiles\rekeywiz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SyncFiles\7Dn7kpA.tmpMD5
bbc8047b4fca96460442fa6b35046016
SHA1c868a561fe5bae6bae5d9fd4bbd2c722dd7c9c84
SHA256d1088c944a0937f8d4728f874a156aaf27c1c84fe7318de2ef0326e7e584995f
SHA5124a4d97939ccd2a243794707b0fd3f5139663f86986eeb0db9df144e2c2f6984e35a0652f01fe3b744f8a59e8355b5ad5444be0327258cfa3380f39dcd4498bc9
-
C:\ProgramData\SyncFiles\DUser.dllMD5
f140fdfa0d1068a949576ea4fff011eb
SHA18ed43a3b8933167fdf4f961d2395efce0a218106
SHA256264c081147d128b87c9ce5813792f13d79df619d6480e356c29be483c8cb0d67
SHA5128aa3ee378b3f659a0e40ba0f2b1780366d59bbd7720f60df403fe7a4e37d39629cbbaabc47e7feb7f9736376f4381a2a484522635e2ced886556900d62413853
-
C:\ProgramData\SyncFiles\rekeywiz.exeMD5
082ed4a73761682f897ea1d7f4529f69
SHA14f77bda9714d009b16e6a13f88b3e12caf0a779d
SHA256fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850
SHA512372c93f63dfeb75de4a1c80f711733efabee635eaa1dfd0a955cae5fd40ba2a3fba8f6ae020cf3b7bb8ccc756fa71a98012be0a328a71c2ba1b4d2b7a0935632
-
C:\ProgramData\SyncFiles\rekeywiz.exeMD5
082ed4a73761682f897ea1d7f4529f69
SHA14f77bda9714d009b16e6a13f88b3e12caf0a779d
SHA256fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850
SHA512372c93f63dfeb75de4a1c80f711733efabee635eaa1dfd0a955cae5fd40ba2a3fba8f6ae020cf3b7bb8ccc756fa71a98012be0a328a71c2ba1b4d2b7a0935632
-
C:\ProgramData\SyncFiles\rekeywiz.exe.configMD5
70ecd7e0bdf8f8d01f7f58be6525e079
SHA178146939a0a921ac2bcfc5a0ae39705614bc000e
SHA256b1fa0771099733e7a9fa296acc7518c1e36c4e473b59eec7acbfb89d80252757
SHA512ed98814c339f50331ea0a80986821aea32b99adf965d6103aa156a655cb201a33dd16fd084432382ea4144ccee41f071c204213bf74324b602daf8d6346780fc
-
C:\Users\Admin\AppData\Local\Temp\1.aMD5
a37415e2f7aab3337c38eafc6c743455
SHA1258b969882c55e487b9a84667a333531069508cc
SHA2560d27e056d926ae8a41472d3ff9c2e47c456b480dff535de95206145eb16887b7
SHA512f76a62a45496339920d6cbe0e52241c937d1b1ee02b37bfa56a4731650eac04b5bc5acbd1fef78534569faa0ed204abd72233bcfdbdb78c7b14a5eb496290bba
-
\ProgramData\SyncFiles\Duser.dllMD5
f140fdfa0d1068a949576ea4fff011eb
SHA18ed43a3b8933167fdf4f961d2395efce0a218106
SHA256264c081147d128b87c9ce5813792f13d79df619d6480e356c29be483c8cb0d67
SHA5128aa3ee378b3f659a0e40ba0f2b1780366d59bbd7720f60df403fe7a4e37d39629cbbaabc47e7feb7f9736376f4381a2a484522635e2ced886556900d62413853
-
\ProgramData\SyncFiles\Duser.dllMD5
f140fdfa0d1068a949576ea4fff011eb
SHA18ed43a3b8933167fdf4f961d2395efce0a218106
SHA256264c081147d128b87c9ce5813792f13d79df619d6480e356c29be483c8cb0d67
SHA5128aa3ee378b3f659a0e40ba0f2b1780366d59bbd7720f60df403fe7a4e37d39629cbbaabc47e7feb7f9736376f4381a2a484522635e2ced886556900d62413853
-
\ProgramData\SyncFiles\Duser.dllMD5
f140fdfa0d1068a949576ea4fff011eb
SHA18ed43a3b8933167fdf4f961d2395efce0a218106
SHA256264c081147d128b87c9ce5813792f13d79df619d6480e356c29be483c8cb0d67
SHA5128aa3ee378b3f659a0e40ba0f2b1780366d59bbd7720f60df403fe7a4e37d39629cbbaabc47e7feb7f9736376f4381a2a484522635e2ced886556900d62413853
-
memory/436-4-0x0000000000000000-mapping.dmp
-
memory/1332-3-0x00000000085D0000-0x00000000085F3000-memory.dmpFilesize
140KB
-
memory/1728-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1948-1-0x0000000000000000-mapping.dmp
-
memory/1960-6-0x0000000000000000-mapping.dmp