73bc1996842a2b9bc3d02bad78a3a6c7f168df28116bcf49e74d3e1fc022520d

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rfq_items_order.rtf
Size

55KB
MD5

4b7aa837e88cd219bdb017dd927ef978
SHA1

f6bfdf87b9acc4150f2dd875ad7802de36f3b9a4
SHA256

73bc1996842a2b9bc3d02bad78a3a6c7f168df28116bcf49e74d3e1fc022520d
SHA512

34122027d398ad8ed57ec5de21061500e97bfbe7e3f0ba61abc33cb258a4ee49f979d4b60bd435b14fbdd91dc1183f9c70ac096d030e126b7d5f44f7eb87998c
SSDEEP

1536:Nf0Xvx3EMRf0Xvx3EMZqnfPnk+bBTQBGkSi:NsXvKMRsXvKMQnffk+NTIGkSi

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1028	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1512	maxs8573.exe
1508	maxs8573.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	maxs8573.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	EQNEDT32.EXE
1364	wlanext.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 1508	1512	maxs8573.exe	35
PID 1508 set thread context of 1272	1508	maxs8573.exe	16
PID 1364 set thread context of 1272	1364	wlanext.exe	16

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1028	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
840	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1508	maxs8573.exe
1508	maxs8573.exe
1508	maxs8573.exe
1508	maxs8573.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1508	maxs8573.exe
1508	maxs8573.exe
1508	maxs8573.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe
1364	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	maxs8573.exe
Token: SeDebugPrivilege	1364	wlanext.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	WINWORD.EXE
840	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1512	1028	EQNEDT32.EXE	31
PID 1028 wrote to memory of 1512	1028	EQNEDT32.EXE	31
PID 1028 wrote to memory of 1512	1028	EQNEDT32.EXE	31
PID 1028 wrote to memory of 1512	1028	EQNEDT32.EXE	31
PID 840 wrote to memory of 804	840	WINWORD.EXE	34
PID 840 wrote to memory of 804	840	WINWORD.EXE	34
PID 840 wrote to memory of 804	840	WINWORD.EXE	34
PID 840 wrote to memory of 804	840	WINWORD.EXE	34
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1512 wrote to memory of 1508	1512	maxs8573.exe	35
PID 1272 wrote to memory of 1364	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1364	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1364	1272	Explorer.EXE	38
PID 1272 wrote to memory of 1364	1272	Explorer.EXE	38
PID 1364 wrote to memory of 1488	1364	wlanext.exe	39
PID 1364 wrote to memory of 1488	1364	wlanext.exe	39
PID 1364 wrote to memory of 1488	1364	wlanext.exe	39
PID 1364 wrote to memory of 1488	1364	wlanext.exe	39
PID 1364 wrote to memory of 1488	1364	wlanext.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\rfq_items_order.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:804
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1688
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1656
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1488

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Roaming\maxs8573.exe
  "C:\Users\Admin\AppData\Roaming\maxs8573.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Roaming\maxs8573.exe
    "C:\Users\Admin\AppData\Roaming\maxs8573.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\maxs8573.exe

Filesize
816KB

MD5
58011275adaa797e50a82420cf61247a

SHA1
8596de7f01f1c10753e2c167c0a2d4f923cbf165

SHA256
76cded40cd51eeb98f734dafed6ac0b0562d847a48b5d42a9b55d11dd73f1d21

SHA512
f18dd5c6c2592d403ed6efa47f82064adf11f957184507dd15ab3454d7772267bc322d7b1788eb7c4d0fec98853f3ae8aa58e4daa35d0eb5c720a71982e99e77

Download Submit
C:\Users\Admin\AppData\Roaming\maxs8573.exe

Filesize
816KB

MD5
58011275adaa797e50a82420cf61247a

SHA1
8596de7f01f1c10753e2c167c0a2d4f923cbf165

SHA256
76cded40cd51eeb98f734dafed6ac0b0562d847a48b5d42a9b55d11dd73f1d21

SHA512
f18dd5c6c2592d403ed6efa47f82064adf11f957184507dd15ab3454d7772267bc322d7b1788eb7c4d0fec98853f3ae8aa58e4daa35d0eb5c720a71982e99e77

Download Submit
C:\Users\Admin\AppData\Roaming\maxs8573.exe

Filesize
816KB

MD5
58011275adaa797e50a82420cf61247a

SHA1
8596de7f01f1c10753e2c167c0a2d4f923cbf165

SHA256
76cded40cd51eeb98f734dafed6ac0b0562d847a48b5d42a9b55d11dd73f1d21

SHA512
f18dd5c6c2592d403ed6efa47f82064adf11f957184507dd15ab3454d7772267bc322d7b1788eb7c4d0fec98853f3ae8aa58e4daa35d0eb5c720a71982e99e77

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
\Users\Admin\AppData\Roaming\maxs8573.exe

Filesize
816KB

MD5
58011275adaa797e50a82420cf61247a

SHA1
8596de7f01f1c10753e2c167c0a2d4f923cbf165

SHA256
76cded40cd51eeb98f734dafed6ac0b0562d847a48b5d42a9b55d11dd73f1d21

SHA512
f18dd5c6c2592d403ed6efa47f82064adf11f957184507dd15ab3454d7772267bc322d7b1788eb7c4d0fec98853f3ae8aa58e4daa35d0eb5c720a71982e99e77

Download Submit
memory/804-69-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/840-94-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/840-54-0x00000000720D1000-0x00000000720D4000-memory.dmp

Filesize
12KB

Download
memory/840-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/840-58-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/840-67-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/840-57-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/840-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/840-55-0x000000006FB51000-0x000000006FB53000-memory.dmp

Filesize
8KB

Download
memory/1272-92-0x0000000006AC0000-0x0000000006B97000-memory.dmp

Filesize
860KB

Download
memory/1272-89-0x0000000006AC0000-0x0000000006B97000-memory.dmp

Filesize
860KB

Download
memory/1272-83-0x0000000006590000-0x0000000006689000-memory.dmp

Filesize
996KB

Download
memory/1364-88-0x0000000001DB0000-0x0000000001E3F000-memory.dmp

Filesize
572KB

Download
memory/1364-87-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/1364-86-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1364-85-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1508-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-81-0x0000000000A90000-0x0000000000D93000-memory.dmp

Filesize
3.0MB

Download
memory/1508-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-82-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/1508-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-72-0x0000000002070000-0x00000000020A6000-memory.dmp

Filesize
216KB

Download
memory/1512-71-0x0000000004F50000-0x0000000004FC0000-memory.dmp

Filesize
448KB

Download
memory/1512-70-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1512-66-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1512-64-0x0000000000250000-0x0000000000320000-memory.dmp

Filesize
832KB

Download