Analysis
-
max time kernel
148s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 17:59
Static task
static1
Behavioral task
behavioral1
Sample
Zakaz na pokupku 21-10-2021.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Zakaz na pokupku 21-10-2021.doc
Resource
win10-en-20211014
General
-
Target
Zakaz na pokupku 21-10-2021.doc
-
Size
4KB
-
MD5
e205f10f887754bd65281f14c25c0f21
-
SHA1
b356aab56ba5eb993326e4ede7e254e7181aa165
-
SHA256
5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d
-
SHA512
cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2
Malware Config
Extracted
asyncrat
0.5.7B
1
185.157.160.136:1973
df4Rtg34dFjwr7ujp3
-
anti_vm
false
-
bsod
false
-
delay
38
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
BitRAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral1/memory/1968-96-0x000000000068A488-mapping.dmp family_bitrat behavioral1/memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/680-71-0x000000000040C6BE-mapping.dmp asyncrat behavioral1/memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 544 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
dry.exepzvkot.exepid process 1556 dry.exe 328 pzvkot.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEpowershell.exepid process 544 EQNEDT32.EXE 544 EQNEDT32.EXE 544 EQNEDT32.EXE 544 EQNEDT32.EXE 544 EQNEDT32.EXE 1712 powershell.exe 1712 powershell.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
pzvkot.exedry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\fg = "C:\\Users\\Admin\\AppData\\Roaming\\df\\gh.exe" pzvkot.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run dry.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\rka = "C:\\Users\\Admin\\AppData\\Roaming\\rga\\rpa.exe" dry.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run pzvkot.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegSvcs.exepid process 1968 RegSvcs.exe 1968 RegSvcs.exe 1968 RegSvcs.exe 1968 RegSvcs.exe 1968 RegSvcs.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dry.exepzvkot.exedescription pid process target process PID 1556 set thread context of 680 1556 dry.exe RegSvcs.exe PID 328 set thread context of 1968 328 pzvkot.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRegSvcs.exepid process 1712 powershell.exe 680 RegSvcs.exe 1712 powershell.exe 1712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegSvcs.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 680 RegSvcs.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1968 RegSvcs.exe Token: SeShutdownPrivilege 1968 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEdry.exepzvkot.exeRegSvcs.exepid process 656 WINWORD.EXE 656 WINWORD.EXE 1556 dry.exe 328 pzvkot.exe 1968 RegSvcs.exe 1968 RegSvcs.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
EQNEDT32.EXEdry.exeWINWORD.EXERegSvcs.execmd.exepowershell.exepzvkot.exedescription pid process target process PID 544 wrote to memory of 1556 544 EQNEDT32.EXE dry.exe PID 544 wrote to memory of 1556 544 EQNEDT32.EXE dry.exe PID 544 wrote to memory of 1556 544 EQNEDT32.EXE dry.exe PID 544 wrote to memory of 1556 544 EQNEDT32.EXE dry.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 1556 wrote to memory of 680 1556 dry.exe RegSvcs.exe PID 656 wrote to memory of 880 656 WINWORD.EXE splwow64.exe PID 656 wrote to memory of 880 656 WINWORD.EXE splwow64.exe PID 656 wrote to memory of 880 656 WINWORD.EXE splwow64.exe PID 656 wrote to memory of 880 656 WINWORD.EXE splwow64.exe PID 680 wrote to memory of 984 680 RegSvcs.exe cmd.exe PID 680 wrote to memory of 984 680 RegSvcs.exe cmd.exe PID 680 wrote to memory of 984 680 RegSvcs.exe cmd.exe PID 680 wrote to memory of 984 680 RegSvcs.exe cmd.exe PID 984 wrote to memory of 1712 984 cmd.exe powershell.exe PID 984 wrote to memory of 1712 984 cmd.exe powershell.exe PID 984 wrote to memory of 1712 984 cmd.exe powershell.exe PID 984 wrote to memory of 1712 984 cmd.exe powershell.exe PID 1712 wrote to memory of 328 1712 powershell.exe pzvkot.exe PID 1712 wrote to memory of 328 1712 powershell.exe pzvkot.exe PID 1712 wrote to memory of 328 1712 powershell.exe pzvkot.exe PID 1712 wrote to memory of 328 1712 powershell.exe pzvkot.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe PID 328 wrote to memory of 1968 328 pzvkot.exe RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Zakaz na pokupku 21-10-2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dry.exe"C:\Users\Admin\AppData\Roaming\dry.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"'5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pzvkot.exeMD5
353bf835f7858ee5a1a77e70cef01607
SHA12db1b8bb53f5c7b45db326695065efd6e0ac5867
SHA256688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08
SHA51200b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8
-
C:\Users\Admin\AppData\Local\Temp\pzvkot.exeMD5
353bf835f7858ee5a1a77e70cef01607
SHA12db1b8bb53f5c7b45db326695065efd6e0ac5867
SHA256688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08
SHA51200b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8
-
C:\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
C:\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
\Users\Admin\AppData\Local\Temp\pzvkot.exeMD5
353bf835f7858ee5a1a77e70cef01607
SHA12db1b8bb53f5c7b45db326695065efd6e0ac5867
SHA256688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08
SHA51200b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8
-
\Users\Admin\AppData\Local\Temp\pzvkot.exeMD5
353bf835f7858ee5a1a77e70cef01607
SHA12db1b8bb53f5c7b45db326695065efd6e0ac5867
SHA256688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08
SHA51200b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8
-
\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
\Users\Admin\AppData\Roaming\dry.exeMD5
8febef9e39284335678e45955722d6a6
SHA10f5de2557c7cef0c486157089cf2b761ca8839d7
SHA2567fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
SHA512e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf
-
memory/328-89-0x0000000000000000-mapping.dmp
-
memory/656-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/656-57-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/656-93-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/656-54-0x0000000072F51000-0x0000000072F54000-memory.dmpFilesize
12KB
-
memory/656-55-0x00000000709D1000-0x00000000709D3000-memory.dmpFilesize
8KB
-
memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/680-71-0x000000000040C6BE-mapping.dmp
-
memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/680-77-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmpFilesize
108KB
-
memory/880-75-0x000007FEFC461000-0x000007FEFC463000-memory.dmpFilesize
8KB
-
memory/880-74-0x0000000000000000-mapping.dmp
-
memory/984-79-0x0000000000000000-mapping.dmp
-
memory/1556-64-0x0000000000000000-mapping.dmp
-
memory/1556-67-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1556-66-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/1712-85-0x0000000004B20000-0x0000000004DF2000-memory.dmpFilesize
2.8MB
-
memory/1712-80-0x0000000000000000-mapping.dmp
-
memory/1712-84-0x0000000002342000-0x0000000002344000-memory.dmpFilesize
8KB
-
memory/1712-82-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1712-83-0x0000000002341000-0x0000000002342000-memory.dmpFilesize
4KB
-
memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1968-96-0x000000000068A488-mapping.dmp
-
memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB