Behavioral Report

max time kernel148s
max time network179s
platformwindows7_x64
resourcewin7-en-20210920
submitted21-10-2021 17:59

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Zakaz na pokupku 21-10-2021.doc

Filesize

4KB

Completed

21-10-2021 18:02

Task

behavioral1

Score

10^/10

MD5

e205f10f887754bd65281f14c25c0f21

SHA1

b356aab56ba5eb993326e4ede7e254e7181aa165

SHA256

5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

SHA256

cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

asyncrat bitrat 1 persistence rat trojan

Extracted

Family	asyncrat
Version	0.5.7B
Botnet	1
C2	185.157.160.136:1973 185.157.160.136:1973
Attributes	anti_vm false bsod false delay 38 install false install_folder %AppData% pastebin_config null
aes.plain

Defense Evasion

Execution

Persistence

AsyncRat

Description

AsyncRAT is designed to remotely monitor and control other computers.

Tags

rat asyncrat
BitRAT

Description

BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

Tags

trojan bitrat

BitRAT Payload

Reported IOCs

resource	yara_rule
behavioral1/memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1968-96-0x000000000068A488-mapping.dmp	family_bitrat
behavioral1/memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

Async RAT payload

Reported IOCs

resource	yara_rule
behavioral1/memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/680-71-0x000000000040C6BE-mapping.dmp	asyncrat
behavioral1/memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmp	asyncrat

Blocklisted process makes network request
EQNEDT32.EXE

Reported IOCs

flow pid process

5 544 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE
dry.exepzvkot.exe

Reported IOCs

pid process

1556 dry.exe
328 pzvkot.exe
Loads dropped DLL
EQNEDT32.EXEpowershell.exe

Reported IOCs

pid process

544 EQNEDT32.EXE
544 EQNEDT32.EXE
544 EQNEDT32.EXE
544 EQNEDT32.EXE
544 EQNEDT32.EXE
1712 powershell.exe
1712 powershell.exe

flow	pid	process
5	544	EQNEDT32.EXE

pid	process
1556	dry.exe
328	pzvkot.exe

pid	process
544	EQNEDT32.EXE
544	EQNEDT32.EXE
544	EQNEDT32.EXE
544	EQNEDT32.EXE
544	EQNEDT32.EXE
1712	powershell.exe
1712	powershell.exe

Adds Run key to start application

pzvkot.exedry.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\fg = "C:\\Users\\Admin\\AppData\\Roaming\\df\\gh.exe"	pzvkot.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	dry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\rka = "C:\\Users\\Admin\\AppData\\Roaming\\rga\\rpa.exe"	dry.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	pzvkot.exe

Drops file in System32 directory

powershell.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger
RegSvcs.exe

Reported IOCs

pid process

1968 RegSvcs.exe
1968 RegSvcs.exe
1968 RegSvcs.exe
1968 RegSvcs.exe
1968 RegSvcs.exe

pid	process
1968	RegSvcs.exe
1968	RegSvcs.exe
1968	RegSvcs.exe
1968	RegSvcs.exe
1968	RegSvcs.exe

Suspicious use of SetThreadContext

dry.exepzvkot.exe

Reported IOCs

description	pid	process	target process
PID 1556 set thread context of 680	1556	dry.exe	RegSvcs.exe
PID 328 set thread context of 1968	328	pzvkot.exe	RegSvcs.exe

Drops file in Windows directory
WINWORD.EXE

Reported IOCs

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor
EQNEDT32.EXE

Description

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

Tags

exploit

TTPs

Exploitation for Client Execution

Reported IOCs

pid process

544 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
544	EQNEDT32.EXE

Modifies Internet Explorer settings

WINWORD.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class

WINWORD.EXE

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

656 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses
powershell.exeRegSvcs.exe

Reported IOCs

pid process

1712 powershell.exe
680 RegSvcs.exe
1712 powershell.exe
1712 powershell.exe

pid	process
656	WINWORD.EXE

pid	process
1712	powershell.exe
680	RegSvcs.exe
1712	powershell.exe
1712	powershell.exe

Suspicious use of AdjustPrivilegeToken

RegSvcs.exepowershell.exeRegSvcs.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	680	RegSvcs.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1968	RegSvcs.exe
Token: SeShutdownPrivilege	1968	RegSvcs.exe

Suspicious use of SetWindowsHookEx
WINWORD.EXEdry.exepzvkot.exeRegSvcs.exe

Reported IOCs

pid process

656 WINWORD.EXE
656 WINWORD.EXE
1556 dry.exe
328 pzvkot.exe
1968 RegSvcs.exe
1968 RegSvcs.exe

pid	process
656	WINWORD.EXE
656	WINWORD.EXE
1556	dry.exe
328	pzvkot.exe
1968	RegSvcs.exe
1968	RegSvcs.exe

Suspicious use of WriteProcessMemory

EQNEDT32.EXEdry.exeWINWORD.EXERegSvcs.execmd.exepowershell.exepzvkot.exe

Reported IOCs

description	pid	process	target process
PID 544 wrote to memory of 1556	544	EQNEDT32.EXE	dry.exe
PID 544 wrote to memory of 1556	544	EQNEDT32.EXE	dry.exe
PID 544 wrote to memory of 1556	544	EQNEDT32.EXE	dry.exe
PID 544 wrote to memory of 1556	544	EQNEDT32.EXE	dry.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 1556 wrote to memory of 680	1556	dry.exe	RegSvcs.exe
PID 656 wrote to memory of 880	656	WINWORD.EXE	splwow64.exe
PID 656 wrote to memory of 880	656	WINWORD.EXE	splwow64.exe
PID 656 wrote to memory of 880	656	WINWORD.EXE	splwow64.exe
PID 656 wrote to memory of 880	656	WINWORD.EXE	splwow64.exe
PID 680 wrote to memory of 984	680	RegSvcs.exe	cmd.exe
PID 680 wrote to memory of 984	680	RegSvcs.exe	cmd.exe
PID 680 wrote to memory of 984	680	RegSvcs.exe	cmd.exe
PID 680 wrote to memory of 984	680	RegSvcs.exe	cmd.exe
PID 984 wrote to memory of 1712	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1712	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1712	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1712	984	cmd.exe	powershell.exe
PID 1712 wrote to memory of 328	1712	powershell.exe	pzvkot.exe
PID 1712 wrote to memory of 328	1712	powershell.exe	pzvkot.exe
PID 1712 wrote to memory of 328	1712	powershell.exe	pzvkot.exe
PID 1712 wrote to memory of 328	1712	powershell.exe	pzvkot.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe
PID 328 wrote to memory of 1968	328	pzvkot.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Zakaz na pokupku 21-10-2021.doc"

Drops file in Windows directory
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:656

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

PID:880

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Blocklisted process makes network request
Loads dropped DLL
Launches Equation Editor
Suspicious use of WriteProcessMemory

PID:544

C:\Users\Admin\AppData\Roaming\dry.exe

"C:\Users\Admin\AppData\Roaming\dry.exe"

Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:680

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"' & exit

Suspicious use of WriteProcessMemory

PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"'

Loads dropped DLL
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1712

C:\Users\Admin\AppData\Local\Temp\pzvkot.exe

"C:\Users\Admin\AppData\Local\Temp\pzvkot.exe"

Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:1968

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exploitation for Client Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\pzvkot.exe
MD5
353bf835f7858ee5a1a77e70cef01607

SHA1
2db1b8bb53f5c7b45db326695065efd6e0ac5867

SHA256
688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

SHA512
00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzvkot.exe
MD5
353bf835f7858ee5a1a77e70cef01607

SHA1
2db1b8bb53f5c7b45db326695065efd6e0ac5867

SHA256
688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

SHA512
00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

Download Submit
C:\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
C:\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
\Users\Admin\AppData\Local\Temp\pzvkot.exe
MD5
353bf835f7858ee5a1a77e70cef01607

SHA1
2db1b8bb53f5c7b45db326695065efd6e0ac5867

SHA256
688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

SHA512
00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

Download Submit
\Users\Admin\AppData\Local\Temp\pzvkot.exe
MD5
353bf835f7858ee5a1a77e70cef01607

SHA1
2db1b8bb53f5c7b45db326695065efd6e0ac5867

SHA256
688d8eaf46e1fc66223d9fb5f1beae9127b1ad16ecfbb080e84dccff2e146d08

SHA512
00b2d9ba1887fef99165de5e1b386c3a3b4780f6baf2525206fa8a364d7ebf0267659877f303ad0fb2918868b26c02dfe9901b7228d79ef79c409ef1253dfff8

Download Submit
\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
\Users\Admin\AppData\Roaming\dry.exe
MD5
8febef9e39284335678e45955722d6a6

SHA1
0f5de2557c7cef0c486157089cf2b761ca8839d7

SHA256
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

SHA512
e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Download Submit
memory/328-89-0x0000000000000000-mapping.dmp

Download
memory/656-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Download
memory/656-55-0x00000000709D1000-0x00000000709D3000-memory.dmp

Download
memory/656-57-0x00000000765A1000-0x00000000765A3000-memory.dmp

Download
memory/656-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Download
memory/656-54-0x0000000072F51000-0x0000000072F54000-memory.dmp

Download
memory/680-72-0x0000000000400000-0x0000000000412000-memory.dmp

Download
memory/680-77-0x0000000005050000-0x0000000005051000-memory.dmp

Download
memory/680-78-0x00000000005B0000-0x00000000005CB000-memory.dmp

Download
memory/680-71-0x000000000040C6BE-mapping.dmp

Download
memory/680-70-0x0000000000400000-0x0000000000412000-memory.dmp

Download
memory/880-74-0x0000000000000000-mapping.dmp

Download
memory/880-75-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Download
memory/984-79-0x0000000000000000-mapping.dmp

Download
memory/1556-67-0x0000000000220000-0x000000000022A000-memory.dmp

Download
memory/1556-66-0x0000000000220000-0x0000000000226000-memory.dmp

Download
memory/1556-64-0x0000000000000000-mapping.dmp

Download
memory/1712-83-0x0000000002341000-0x0000000002342000-memory.dmp

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/1712-82-0x0000000002340000-0x0000000002341000-memory.dmp

Download
memory/1712-84-0x0000000002342000-0x0000000002344000-memory.dmp

Download
memory/1712-85-0x0000000004B20000-0x0000000004DF2000-memory.dmp

Download
memory/1968-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Download
memory/1968-96-0x000000000068A488-mapping.dmp

Download
memory/1968-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title