Analysis
-
max time kernel
70s -
max time network
24s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:37
Static task
static1
Behavioral task
behavioral1
Sample
Official-PaymentDetail15012021.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Official-PaymentDetail15012021.doc
Resource
win10v20201028
General
-
Target
Official-PaymentDetail15012021.doc
-
Size
3.6MB
-
MD5
d0067fec7b7ccc9a37fb8fe52cf9dd98
-
SHA1
7f959612668dfa1565ee6523a47178566b1c2b3f
-
SHA256
5e2fa30500b10cdb21e9c221603132cddc9ad1eea0046ade38b10fc9d60743f6
-
SHA512
7a3e4c124c8f7425f00e00950bfcad6cfdf140d02ab073d1834932a637f219d7bbb2b2530b8fc501098c37098d1e5c25cd0d8015769e599d7943af02d829b28f
Malware Config
Extracted
warzonerat
79.134.225.23:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1220-41-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1220-42-0x0000000000405CE2-mapping.dmp warzonerat behavioral1/memory/1220-43-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Blocklisted process makes network request 6 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1692 EQNEDT32.EXE 6 1692 EQNEDT32.EXE 8 1692 EQNEDT32.EXE 10 1692 EQNEDT32.EXE 12 1692 EQNEDT32.EXE 14 1692 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
69577.exeimages.exepid process 1720 69577.exe 1300 images.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEMSBuild.exepid process 1692 EQNEDT32.EXE 1220 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" MSBuild.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 988 set thread context of 1220 988 powershell.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 988 powershell.exe 988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 988 powershell.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
69577.exepid process 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
69577.exepid process 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe 1720 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1740 WINWORD.EXE 1740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exepowershell.execsc.exeMSBuild.exedescription pid process target process PID 1740 wrote to memory of 1244 1740 WINWORD.EXE splwow64.exe PID 1740 wrote to memory of 1244 1740 WINWORD.EXE splwow64.exe PID 1740 wrote to memory of 1244 1740 WINWORD.EXE splwow64.exe PID 1740 wrote to memory of 1244 1740 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1720 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1720 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1720 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 1720 1692 EQNEDT32.EXE 69577.exe PID 1720 wrote to memory of 988 1720 69577.exe powershell.exe PID 1720 wrote to memory of 988 1720 69577.exe powershell.exe PID 1720 wrote to memory of 988 1720 69577.exe powershell.exe PID 1720 wrote to memory of 988 1720 69577.exe powershell.exe PID 988 wrote to memory of 1136 988 powershell.exe csc.exe PID 988 wrote to memory of 1136 988 powershell.exe csc.exe PID 988 wrote to memory of 1136 988 powershell.exe csc.exe PID 988 wrote to memory of 1136 988 powershell.exe csc.exe PID 1136 wrote to memory of 932 1136 csc.exe cvtres.exe PID 1136 wrote to memory of 932 1136 csc.exe cvtres.exe PID 1136 wrote to memory of 932 1136 csc.exe cvtres.exe PID 1136 wrote to memory of 932 1136 csc.exe cvtres.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 988 wrote to memory of 1220 988 powershell.exe MSBuild.exe PID 1220 wrote to memory of 1300 1220 MSBuild.exe images.exe PID 1220 wrote to memory of 1300 1220 MSBuild.exe images.exe PID 1220 wrote to memory of 1300 1220 MSBuild.exe images.exe PID 1220 wrote to memory of 1300 1220 MSBuild.exe images.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Official-PaymentDetail15012021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps13⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s0qtkqem\s0qtkqem.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F40.tmp" "c:\Users\Admin\AppData\Local\Temp\s0qtkqem\CSCDE072A6D255F4111AB171D27A94B1C70.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\ProgramData\images.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
2f415ff796c8a4740d0b4cc070db77f5
SHA12a97777f699306ae85ef25a52c320f0940023476
SHA256924447bd3883e7bb58af799ad0e07851311379bd7ff598e92b0cab3b906c1305
SHA5120fbf51279017722a1f420f6ce2725e8ab3848993c8e6d2a94373b081385d8ea5377843d42835ee8b4e0406fa584f3fa1b15ca396f13330a1eba6db5461bf9242
-
C:\Users\Admin\AppData\Local\Temp\RES5F40.tmpMD5
c5e3b2e6519468d2aac822b0ba0d243d
SHA1a172e8cd7816a2dacf7a9793d779c9c8fd6ef50d
SHA2563e269f90f5a915cea5dfc14facc23728d722b2638bc12386540fdd5a757da759
SHA5122ddcf942c08fa3ad19a71d34767da1675b287884fd327cfffcfd1a2f63d476f3ee8a0d3ffcc4fad1e11ecca4f2c5acbd1f11caf635f939bad40825ead632d1ab
-
C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps1MD5
4756913fe47c2d12e5cc12bd27925afb
SHA1b6d8060008e27091b794ddd39b7b6aa2fc907d0c
SHA2560adf93292bc449eab420a088740f62f9e73d00ffc4ce8f8f33c3a05f17fe2629
SHA51220af4bc153c56c66ed46a8b129fd822769eddfe6e812e7999aeb522d5d6363bccb088dbd69e585d755fa69c9678eedf0e619f1a3c81dbf1c3d326b6016c773b5
-
C:\Users\Admin\AppData\Local\Temp\s0qtkqem\s0qtkqem.dllMD5
9ffe92ad092641be93ca7bb2e9ea799e
SHA15ef1bb6a7db8c03ab3894e75caefe0caff63b84b
SHA256b55cb255b03417ca15f7a9973ed35a944a105ab7430621065e505d249b7c989e
SHA512cb985822249e839b5ff591aa04946c34a93c215649d40252feb6a7c4936f73e9bec9dbc7795a770b71605b8a2c492b32690552d14c4450ddc278db3465997e49
-
C:\Users\Public\69577.exeMD5
fa1bf2c3e92bf67c61bd482b3b4e20e9
SHA1d0f8938c1249fca3eb5d0ecb76a21bcfc3cd5bb4
SHA2568186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d
SHA51247d9a06b14652ed54dfa0cfa09b6a918537dbb3fed10ed14a313b94f66b9dbcd15d3c4cf13aa0f6b5bb3292ae91ecef4d0a4de8061af29e5a18db4bc9c3c29fd
-
C:\Users\Public\69577.exeMD5
fa1bf2c3e92bf67c61bd482b3b4e20e9
SHA1d0f8938c1249fca3eb5d0ecb76a21bcfc3cd5bb4
SHA2568186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d
SHA51247d9a06b14652ed54dfa0cfa09b6a918537dbb3fed10ed14a313b94f66b9dbcd15d3c4cf13aa0f6b5bb3292ae91ecef4d0a4de8061af29e5a18db4bc9c3c29fd
-
\??\c:\Users\Admin\AppData\Local\Temp\s0qtkqem\CSCDE072A6D255F4111AB171D27A94B1C70.TMPMD5
260338ce75cd500f35a510bdcbcb0505
SHA1c7d756ff22a74dd30b938e048a96ea7a32f825c9
SHA2569cd962e5eb6d8787c5823af989c2ef209ca05b59ff70ded89134de9a270012e8
SHA512c1ae08fbbc965592a2f8cfe1d93086db42e19d072e9680761885f9eac3a8b7a66a13246b1bb2ccb95f5576d0856c0a7ba6940d5ae2c4b759274ed2ff80abe4e7
-
\??\c:\Users\Admin\AppData\Local\Temp\s0qtkqem\s0qtkqem.0.csMD5
e8c41bf3708cc4bd505851f38966151a
SHA1ab943b19fb2e837904c97a3c52309c1f2c20dc9c
SHA25654dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9
SHA51240a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4
-
\??\c:\Users\Admin\AppData\Local\Temp\s0qtkqem\s0qtkqem.cmdlineMD5
8be5aa5ceb4b26b7423d8e334965dff7
SHA14b9bd72d8360bcd2891f5229d89393c8a7843e7e
SHA256b57e39c9a2c1b7a71d87720c4e9df91579170f92d64b9f2293f8679ffe0facab
SHA51273d0d57ce4277f1e5873733da0e74f13f1e3e4b9da7f86ff94e4bf501ef64eb38fa0d44b77188c9a00e5a71dcb3d9bf5da1a8ac6c17945faae3ccb94b75f97bf
-
\ProgramData\images.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
\Users\Public\69577.exeMD5
fa1bf2c3e92bf67c61bd482b3b4e20e9
SHA1d0f8938c1249fca3eb5d0ecb76a21bcfc3cd5bb4
SHA2568186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d
SHA51247d9a06b14652ed54dfa0cfa09b6a918537dbb3fed10ed14a313b94f66b9dbcd15d3c4cf13aa0f6b5bb3292ae91ecef4d0a4de8061af29e5a18db4bc9c3c29fd
-
memory/268-3-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/932-36-0x0000000000000000-mapping.dmp
-
memory/988-32-0x000000000A300000-0x000000000A301000-memory.dmpFilesize
4KB
-
memory/988-11-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/988-31-0x000000000A2D0000-0x000000000A2D1000-memory.dmpFilesize
4KB
-
memory/988-9-0x0000000000000000-mapping.dmp
-
memory/988-10-0x000000006A780000-0x000000006AE6E000-memory.dmpFilesize
6.9MB
-
memory/988-23-0x000000000A130000-0x000000000A131000-memory.dmpFilesize
4KB
-
memory/988-18-0x00000000090B0000-0x00000000090B1000-memory.dmpFilesize
4KB
-
memory/988-14-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/988-40-0x000000000A450000-0x000000000A451000-memory.dmpFilesize
4KB
-
memory/988-13-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/988-12-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/988-24-0x000000000A1E0000-0x000000000A1E1000-memory.dmpFilesize
4KB
-
memory/1136-33-0x0000000000000000-mapping.dmp
-
memory/1220-41-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1220-42-0x0000000000405CE2-mapping.dmp
-
memory/1220-43-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1244-2-0x0000000000000000-mapping.dmp
-
memory/1300-45-0x0000000000000000-mapping.dmp
-
memory/1300-48-0x000000006A860000-0x000000006AF4E000-memory.dmpFilesize
6.9MB
-
memory/1300-49-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1720-5-0x0000000000000000-mapping.dmp