Analysis
-
max time kernel
146s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT copy.rtf
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SWIFT copy.rtf
Resource
win10v2004-20221111-en
General
-
Target
SWIFT copy.rtf
-
Size
23KB
-
MD5
8e59a5a134a38809a6c7bee8b3b9cd9b
-
SHA1
8331a36576b4fed98dfc4ab7297f1221cf0a54f9
-
SHA256
b30d6e23a319a4bd93eb4a344166d885b71de3ece98bcc12e9f67c3e25a8214b
-
SHA512
b2b6435015318536fca05a822409edf2931b96f2e6b29431aac6156c5952c84409cb486e74f9038db3839fef5e735811868cca536ad350c30cbc7743130edd31
-
SSDEEP
384:OQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZc0UJmhY2R19ufNvUKwXYZT6:qFx0XaIsnPRIa4fwJM6mPR190vzuu6
Malware Config
Extracted
nanocore
1.2.2.0
tzitziklishop.ddns.net:1665
127.0.0.1:1665
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-09T09:23:36.606577636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1665
-
default_group
NOV282022
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tzitziklishop.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 588 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
catciarec841.execatciarec841.execatciarec841.exepid process 956 catciarec841.exe 1732 catciarec841.exe 1632 catciarec841.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 588 EQNEDT32.EXE 588 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
catciarec841.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" catciarec841.exe -
Processes:
catciarec841.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA catciarec841.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
catciarec841.exedescription pid process target process PID 956 set thread context of 1632 956 catciarec841.exe catciarec841.exe -
Drops file in Program Files directory 2 IoCs
Processes:
catciarec841.exedescription ioc process File created C:\Program Files (x86)\ISS Manager\issmgr.exe catciarec841.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe catciarec841.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1420 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
catciarec841.exepid process 956 catciarec841.exe 956 catciarec841.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
catciarec841.exedescription pid process Token: SeDebugPrivilege 956 catciarec841.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1420 WINWORD.EXE 1420 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEcatciarec841.execatciarec841.exedescription pid process target process PID 588 wrote to memory of 956 588 EQNEDT32.EXE catciarec841.exe PID 588 wrote to memory of 956 588 EQNEDT32.EXE catciarec841.exe PID 588 wrote to memory of 956 588 EQNEDT32.EXE catciarec841.exe PID 588 wrote to memory of 956 588 EQNEDT32.EXE catciarec841.exe PID 1420 wrote to memory of 620 1420 WINWORD.EXE splwow64.exe PID 1420 wrote to memory of 620 1420 WINWORD.EXE splwow64.exe PID 1420 wrote to memory of 620 1420 WINWORD.EXE splwow64.exe PID 1420 wrote to memory of 620 1420 WINWORD.EXE splwow64.exe PID 956 wrote to memory of 1732 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1732 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1732 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1732 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 956 wrote to memory of 1632 956 catciarec841.exe catciarec841.exe PID 1632 wrote to memory of 740 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 740 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 740 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 740 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 1556 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 1556 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 1556 1632 catciarec841.exe schtasks.exe PID 1632 wrote to memory of 1556 1632 catciarec841.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFT copy.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\catciarec841.exe"C:\Users\Admin\AppData\Roaming\catciarec841.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\catciarec841.exe"C:\Users\Admin\AppData\Roaming\catciarec841.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\catciarec841.exe"C:\Users\Admin\AppData\Roaming\catciarec841.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC8BC.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD6C1.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC8BC.tmpFilesize
1KB
MD56fe5d710683473773c5abaa09c816ee5
SHA176742c9c77aaa5aef280cbcb872b8fc3cce67bb6
SHA256da5a0080b48be42b5ad53c4894e76cb17c59778f1285c77e0f801caec78e1d41
SHA5129cb6849a60047ce10da2f617daba1743917c42fb4bd3968e0f9bbc3c9b72362c9916d26689d1d4c62464cf0c07e643cc8595be7900d6933cc2b5b8c0381f0058
-
C:\Users\Admin\AppData\Local\Temp\tmpD6C1.tmpFilesize
1KB
MD5ea7095fa975a5ac043c9de2899ce61d0
SHA1ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA2565a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb
-
C:\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
C:\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
C:\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
C:\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
\Users\Admin\AppData\Roaming\catciarec841.exeFilesize
595KB
MD54e7706b27fae00c7753de80ca6f3d7b7
SHA18275b2c1e523c9dd5de56751a2eff6c4abe914ba
SHA2561ae495d26ee067e62e53c6490109ecf080801be79fda954d3659615a2343acc5
SHA512e219db9165c00980261c19e32fb32f669acd2a512bd8757373488b8e4bb3cb50539591bee1404844a52e62ad197fe479326e4a397c5cc00b4163adfd5fd92d5b
-
memory/620-68-0x0000000000000000-mapping.dmp
-
memory/620-70-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB
-
memory/740-91-0x0000000000000000-mapping.dmp
-
memory/956-72-0x0000000005640000-0x00000000056B4000-memory.dmpFilesize
464KB
-
memory/956-73-0x00000000040D0000-0x000000000410A000-memory.dmpFilesize
232KB
-
memory/956-69-0x0000000000570000-0x0000000000586000-memory.dmpFilesize
88KB
-
memory/956-63-0x0000000000000000-mapping.dmp
-
memory/956-71-0x0000000000590000-0x000000000059E000-memory.dmpFilesize
56KB
-
memory/956-66-0x0000000000870000-0x000000000090C000-memory.dmpFilesize
624KB
-
memory/1420-59-0x00000000719AD000-0x00000000719B8000-memory.dmpFilesize
44KB
-
memory/1420-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1420-55-0x00000000709C1000-0x00000000709C3000-memory.dmpFilesize
8KB
-
memory/1420-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1420-54-0x0000000072F41000-0x0000000072F44000-memory.dmpFilesize
12KB
-
memory/1420-57-0x00000000719AD000-0x00000000719B8000-memory.dmpFilesize
44KB
-
memory/1420-90-0x00000000719AD000-0x00000000719B8000-memory.dmpFilesize
44KB
-
memory/1420-58-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1556-93-0x0000000000000000-mapping.dmp
-
memory/1632-79-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-87-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-85-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-82-0x000000000041E792-mapping.dmp
-
memory/1632-81-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-78-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-75-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB