Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-04-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Tender Offer.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Tender Offer.doc.rtf
Resource
win10v20210408
General
-
Target
Tender Offer.doc.rtf
-
Size
609KB
-
MD5
398a7dca0715973d3a91a0383613acb6
-
SHA1
b5a0830f536f8a2cf50ef1b133eeac9f992e3213
-
SHA256
3f968649c02fd5ee3f14e1d30803512bebc391ceac8005e76d3be87276df10ea
-
SHA512
8e64601754da1b5b9b9a93f35ac8fd63085bec5aa8b0f67728613712b6648988d56efdb3907b05c3a19e0582cbbeeb712320cab2c57a59a3eb046582d2b43103
Malware Config
Extracted
remcos
79.134.225.17:2050
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1676 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
dutyx4793.exedutyx4793.exepid process 1016 dutyx4793.exe 1088 dutyx4793.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1676 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dutyx4793.exedescription pid process target process PID 1016 set thread context of 1088 1016 dutyx4793.exe dutyx4793.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dutyx4793.exepid process 1016 dutyx4793.exe 1016 dutyx4793.exe 1016 dutyx4793.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dutyx4793.exedescription pid process Token: SeDebugPrivilege 1016 dutyx4793.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEdutyx4793.exepid process 1040 WINWORD.EXE 1040 WINWORD.EXE 1088 dutyx4793.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdutyx4793.exedescription pid process target process PID 1676 wrote to memory of 1016 1676 EQNEDT32.EXE dutyx4793.exe PID 1676 wrote to memory of 1016 1676 EQNEDT32.EXE dutyx4793.exe PID 1676 wrote to memory of 1016 1676 EQNEDT32.EXE dutyx4793.exe PID 1676 wrote to memory of 1016 1676 EQNEDT32.EXE dutyx4793.exe PID 1040 wrote to memory of 1604 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1604 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1604 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1604 1040 WINWORD.EXE splwow64.exe PID 1016 wrote to memory of 1200 1016 dutyx4793.exe schtasks.exe PID 1016 wrote to memory of 1200 1016 dutyx4793.exe schtasks.exe PID 1016 wrote to memory of 1200 1016 dutyx4793.exe schtasks.exe PID 1016 wrote to memory of 1200 1016 dutyx4793.exe schtasks.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe PID 1016 wrote to memory of 1088 1016 dutyx4793.exe dutyx4793.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tender Offer.doc.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dutyx4793.exe"C:\Users\Admin\AppData\Roaming\dutyx4793.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\augPTtA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE051.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\dutyx4793.exe"C:\Users\Admin\AppData\Roaming\dutyx4793.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE051.tmpMD5
b2cab156876d9bbcd4b747b35175bb9a
SHA16b56f749ac0c89ca43c6f7a0b112c11c4a62eb10
SHA25634a2dfb29061e5c27f67fce0e399df32e28e06d66d00ef162cdadeef6212dae6
SHA512dec97d2d2619f08f4c6c3886bb85d8c77320c9ac48e4d7b385b05d3669b50f49f6ba78391eedc498c32b6e6f6d4fd14cd0780776424f246bbd60f2e9e7a176e3
-
C:\Users\Admin\AppData\Roaming\dutyx4793.exeMD5
801f5b2e55c1168dfa6b1e6d0c8c9663
SHA138b46a6b87c58bf2818daba967e90f30abc7b3ce
SHA25654b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
SHA512dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc
-
C:\Users\Admin\AppData\Roaming\dutyx4793.exeMD5
801f5b2e55c1168dfa6b1e6d0c8c9663
SHA138b46a6b87c58bf2818daba967e90f30abc7b3ce
SHA25654b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
SHA512dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc
-
C:\Users\Admin\AppData\Roaming\dutyx4793.exeMD5
801f5b2e55c1168dfa6b1e6d0c8c9663
SHA138b46a6b87c58bf2818daba967e90f30abc7b3ce
SHA25654b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
SHA512dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc
-
\Users\Admin\AppData\Roaming\dutyx4793.exeMD5
801f5b2e55c1168dfa6b1e6d0c8c9663
SHA138b46a6b87c58bf2818daba967e90f30abc7b3ce
SHA25654b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
SHA512dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc
-
memory/1016-70-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1016-78-0x000000000B5C0000-0x000000000B632000-memory.dmpFilesize
456KB
-
memory/1016-64-0x0000000000000000-mapping.dmp
-
memory/1016-67-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/1016-69-0x00000000004D0000-0x00000000004D9000-memory.dmpFilesize
36KB
-
memory/1016-75-0x0000000007600000-0x0000000007682000-memory.dmpFilesize
520KB
-
memory/1016-74-0x0000000005060000-0x0000000005105000-memory.dmpFilesize
660KB
-
memory/1040-73-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1040-59-0x0000000072491000-0x0000000072494000-memory.dmpFilesize
12KB
-
memory/1040-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1040-60-0x000000006FF11000-0x000000006FF13000-memory.dmpFilesize
8KB
-
memory/1088-79-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1088-80-0x000000000042EEEF-mapping.dmp
-
memory/1088-83-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1200-76-0x0000000000000000-mapping.dmp
-
memory/1604-72-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/1604-71-0x0000000000000000-mapping.dmp
-
memory/1676-62-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB