General
Target

Zakaz na pokupku 21-10-2021.doc

Filesize

4KB

Completed

21-10-2021 18:02

Task

behavioral1

Score
10/10
MD5

e205f10f887754bd65281f14c25c0f21

SHA1

b356aab56ba5eb993326e4ede7e254e7181aa165

SHA256

5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

SHA256

cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

185.157.160.136:1973

Attributes
anti_vm
false
bsod
false
delay
38
install
false
install_folder
%AppData%
pastebin_config
null
aes.plain
Signatures 22

Filter: none

Defense Evasion
Execution
Persistence
  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • BitRAT Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmpfamily_bitrat
    behavioral1/memory/1968-96-0x000000000068A488-mapping.dmpfamily_bitrat
    behavioral1/memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmpfamily_bitrat
  • Async RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
    behavioral1/memory/680-71-0x000000000040C6BE-mapping.dmpasyncrat
    behavioral1/memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
    behavioral1/memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmpasyncrat
  • Blocklisted process makes network request
    EQNEDT32.EXE

    Reported IOCs

    flowpidprocess
    5544EQNEDT32.EXE
  • Downloads MZ/PE file
  • Executes dropped EXE
    dry.exepzvkot.exe

    Reported IOCs

    pidprocess
    1556dry.exe
    328pzvkot.exe
  • Loads dropped DLL
    EQNEDT32.EXEpowershell.exe

    Reported IOCs

    pidprocess
    544EQNEDT32.EXE
    544EQNEDT32.EXE
    544EQNEDT32.EXE
    544EQNEDT32.EXE
    544EQNEDT32.EXE
    1712powershell.exe
    1712powershell.exe
  • Adds Run key to start application
    pzvkot.exedry.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\fg = "C:\\Users\\Admin\\AppData\\Roaming\\df\\gh.exe"pzvkot.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Rundry.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\rka = "C:\\Users\\Admin\\AppData\\Roaming\\rga\\rpa.exe"dry.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Runpzvkot.exe
  • Drops file in System32 directory
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkpowershell.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1968RegSvcs.exe
    1968RegSvcs.exe
    1968RegSvcs.exe
    1968RegSvcs.exe
    1968RegSvcs.exe
  • Suspicious use of SetThreadContext
    dry.exepzvkot.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1556 set thread context of 6801556dry.exeRegSvcs.exe
    PID 328 set thread context of 1968328pzvkot.exeRegSvcs.exe
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    544EQNEDT32.EXE
  • Modifies Internet Explorer settings
    WINWORD.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellWINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellWINWORD.EXE
  • Modifies registry class
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithListWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft ExcelWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIconWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexecWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topicWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"WINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfileWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellExWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old IconWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topicWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\applicationWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topicWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexecWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\VersionWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exeWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"WINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfileWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\EditWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\commandWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexecWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\applicationWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft PublisherWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\EditWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft WordWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"WINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    656WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exeRegSvcs.exe

    Reported IOCs

    pidprocess
    1712powershell.exe
    680RegSvcs.exe
    1712powershell.exe
    1712powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    RegSvcs.exepowershell.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege680RegSvcs.exe
    Token: SeDebugPrivilege1712powershell.exe
    Token: SeDebugPrivilege1968RegSvcs.exe
    Token: SeShutdownPrivilege1968RegSvcs.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXEdry.exepzvkot.exeRegSvcs.exe

    Reported IOCs

    pidprocess
    656WINWORD.EXE
    656WINWORD.EXE
    1556dry.exe
    328pzvkot.exe
    1968RegSvcs.exe
    1968RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEdry.exeWINWORD.EXERegSvcs.execmd.exepowershell.exepzvkot.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 544 wrote to memory of 1556544EQNEDT32.EXEdry.exe
    PID 544 wrote to memory of 1556544EQNEDT32.EXEdry.exe
    PID 544 wrote to memory of 1556544EQNEDT32.EXEdry.exe
    PID 544 wrote to memory of 1556544EQNEDT32.EXEdry.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 1556 wrote to memory of 6801556dry.exeRegSvcs.exe
    PID 656 wrote to memory of 880656WINWORD.EXEsplwow64.exe
    PID 656 wrote to memory of 880656WINWORD.EXEsplwow64.exe
    PID 656 wrote to memory of 880656WINWORD.EXEsplwow64.exe
    PID 656 wrote to memory of 880656WINWORD.EXEsplwow64.exe
    PID 680 wrote to memory of 984680RegSvcs.execmd.exe
    PID 680 wrote to memory of 984680RegSvcs.execmd.exe
    PID 680 wrote to memory of 984680RegSvcs.execmd.exe
    PID 680 wrote to memory of 984680RegSvcs.execmd.exe
    PID 984 wrote to memory of 1712984cmd.exepowershell.exe
    PID 984 wrote to memory of 1712984cmd.exepowershell.exe
    PID 984 wrote to memory of 1712984cmd.exepowershell.exe
    PID 984 wrote to memory of 1712984cmd.exepowershell.exe
    PID 1712 wrote to memory of 3281712powershell.exepzvkot.exe
    PID 1712 wrote to memory of 3281712powershell.exepzvkot.exe
    PID 1712 wrote to memory of 3281712powershell.exepzvkot.exe
    PID 1712 wrote to memory of 3281712powershell.exepzvkot.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
    PID 328 wrote to memory of 1968328pzvkot.exeRegSvcs.exe
Processes 9
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Zakaz na pokupku 21-10-2021.doc"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:880
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Roaming\dry.exe
      "C:\Users\Admin\AppData\Roaming\dry.exe"
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:680
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"' & exit
          Suspicious use of WriteProcessMemory
          PID:984
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"'
            Loads dropped DLL
            Drops file in System32 directory
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Users\Admin\AppData\Local\Temp\pzvkot.exe
              "C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"
              Executes dropped EXE
              Adds Run key to start application
              Suspicious use of SetThreadContext
              Suspicious use of SetWindowsHookEx
              Suspicious use of WriteProcessMemory
              PID:328
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Suspicious use of NtSetInformationThreadHideFromDebugger
                Suspicious use of AdjustPrivilegeToken
                Suspicious use of SetWindowsHookEx
                PID:1968
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\pzvkot.exe

                      MD5

                      353bf835f7858ee5a1a77e70cef01607

                      SHA1

                      2db1b8bb53f5c7b45db326695065efd6e0ac5867

                      SHA256

                      688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

                      SHA512

                      00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

                    • C:\Users\Admin\AppData\Local\Temp\pzvkot.exe

                      MD5

                      353bf835f7858ee5a1a77e70cef01607

                      SHA1

                      2db1b8bb53f5c7b45db326695065efd6e0ac5867

                      SHA256

                      688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

                      SHA512

                      00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

                    • C:\Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • C:\Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • \Users\Admin\AppData\Local\Temp\pzvkot.exe

                      MD5

                      353bf835f7858ee5a1a77e70cef01607

                      SHA1

                      2db1b8bb53f5c7b45db326695065efd6e0ac5867

                      SHA256

                      688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

                      SHA512

                      00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

                    • \Users\Admin\AppData\Local\Temp\pzvkot.exe

                      MD5

                      353bf835f7858ee5a1a77e70cef01607

                      SHA1

                      2db1b8bb53f5c7b45db326695065efd6e0ac5867

                      SHA256

                      688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

                      SHA512

                      00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

                    • \Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • \Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • \Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • \Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • \Users\Admin\AppData\Roaming\dry.exe

                      MD5

                      8febef9e39284335678e45955722d6a6

                      SHA1

                      0f5de2557c7cef0c486157089cf2b761ca8839d7

                      SHA256

                      7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

                      SHA512

                      e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

                    • memory/328-89-0x0000000000000000-mapping.dmp

                    • memory/656-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/656-55-0x00000000709D1000-0x00000000709D3000-memory.dmp

                    • memory/656-57-0x00000000765A1000-0x00000000765A3000-memory.dmp

                    • memory/656-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/656-54-0x0000000072F51000-0x0000000072F54000-memory.dmp

                    • memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmp

                    • memory/680-77-0x0000000005050000-0x0000000005051000-memory.dmp

                    • memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmp

                    • memory/680-71-0x000000000040C6BE-mapping.dmp

                    • memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmp

                    • memory/880-74-0x0000000000000000-mapping.dmp

                    • memory/880-75-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

                    • memory/984-79-0x0000000000000000-mapping.dmp

                    • memory/1556-67-0x0000000000220000-0x000000000022A000-memory.dmp

                    • memory/1556-66-0x0000000000220000-0x0000000000226000-memory.dmp

                    • memory/1556-64-0x0000000000000000-mapping.dmp

                    • memory/1712-83-0x0000000002341000-0x0000000002342000-memory.dmp

                    • memory/1712-80-0x0000000000000000-mapping.dmp

                    • memory/1712-82-0x0000000002340000-0x0000000002341000-memory.dmp

                    • memory/1712-84-0x0000000002342000-0x0000000002344000-memory.dmp

                    • memory/1712-85-0x0000000004B20000-0x0000000004DF2000-memory.dmp

                    • memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmp

                    • memory/1968-96-0x000000000068A488-mapping.dmp

                    • memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmp