Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14-03-2023 19:21
Static task
static1
Behavioral task
behavioral1
Sample
zapitvane marko bulgaria eood.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
zapitvane marko bulgaria eood.rtf
Resource
win10v2004-20230220-en
General
-
Target
zapitvane marko bulgaria eood.rtf
-
Size
3KB
-
MD5
93671555d60537ba07df133dda8592a2
-
SHA1
396ab1b853fac12d406bc1687cf18cb0a2cc061e
-
SHA256
833747fe3feaca3e71a38cc66ee5003a846fc43a61e8a59e093a23c5b260ef90
-
SHA512
8d03fcc1a697a8150ce7d2325e65a329d8d870a185b66cdb9ae70c84aecd9983913c12b48902d2b3f7553378617dee533363ac759bef1c8c502903f3016d6a6f
Malware Config
Extracted
bitrat
1.38
74.201.28.92:3569
-
communication_password
148b191cf4e80b549e1b1a4444f2bdf6
-
tor_process
tor
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 336 EQNEDT32.EXE 6 336 EQNEDT32.EXE 8 336 EQNEDT32.EXE 10 336 EQNEDT32.EXE 12 336 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
hjpy.exetewu.exetewu.exetewu.exepid process 1580 hjpy.exe 588 tewu.exe 1556 tewu.exe 2044 tewu.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 336 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1440 vbc.exe 1440 vbc.exe 1440 vbc.exe 1440 vbc.exe 1440 vbc.exe 1912 vbc.exe 1720 vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
hjpy.exetewu.exetewu.exedescription pid process target process PID 1580 set thread context of 1440 1580 hjpy.exe vbc.exe PID 588 set thread context of 1912 588 tewu.exe vbc.exe PID 1556 set thread context of 1720 1556 tewu.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1964 schtasks.exe 652 schtasks.exe 1912 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1196 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vbc.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 1440 vbc.exe Token: SeShutdownPrivilege 1440 vbc.exe Token: SeDebugPrivilege 1912 vbc.exe Token: SeShutdownPrivilege 1912 vbc.exe Token: SeDebugPrivilege 1720 vbc.exe Token: SeShutdownPrivilege 1720 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEvbc.exepid process 1196 WINWORD.EXE 1196 WINWORD.EXE 1440 vbc.exe 1440 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EQNEDT32.EXEhjpy.execmd.exetaskeng.exetewu.execmd.exedescription pid process target process PID 336 wrote to memory of 1580 336 EQNEDT32.EXE hjpy.exe PID 336 wrote to memory of 1580 336 EQNEDT32.EXE hjpy.exe PID 336 wrote to memory of 1580 336 EQNEDT32.EXE hjpy.exe PID 336 wrote to memory of 1580 336 EQNEDT32.EXE hjpy.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 1440 1580 hjpy.exe vbc.exe PID 1580 wrote to memory of 824 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 824 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 824 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 824 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 700 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 700 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 700 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 700 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 1960 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 1960 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 1960 1580 hjpy.exe cmd.exe PID 1580 wrote to memory of 1960 1580 hjpy.exe cmd.exe PID 700 wrote to memory of 1964 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1964 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1964 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1964 700 cmd.exe schtasks.exe PID 1812 wrote to memory of 588 1812 taskeng.exe tewu.exe PID 1812 wrote to memory of 588 1812 taskeng.exe tewu.exe PID 1812 wrote to memory of 588 1812 taskeng.exe tewu.exe PID 1812 wrote to memory of 588 1812 taskeng.exe tewu.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 1912 588 tewu.exe vbc.exe PID 588 wrote to memory of 2032 588 tewu.exe cmd.exe PID 588 wrote to memory of 2032 588 tewu.exe cmd.exe PID 588 wrote to memory of 2032 588 tewu.exe cmd.exe PID 588 wrote to memory of 2032 588 tewu.exe cmd.exe PID 588 wrote to memory of 1476 588 tewu.exe cmd.exe PID 588 wrote to memory of 1476 588 tewu.exe cmd.exe PID 588 wrote to memory of 1476 588 tewu.exe cmd.exe PID 588 wrote to memory of 1476 588 tewu.exe cmd.exe PID 588 wrote to memory of 1956 588 tewu.exe cmd.exe PID 588 wrote to memory of 1956 588 tewu.exe cmd.exe PID 588 wrote to memory of 1956 588 tewu.exe cmd.exe PID 588 wrote to memory of 1956 588 tewu.exe cmd.exe PID 1476 wrote to memory of 652 1476 cmd.exe schtasks.exe PID 1476 wrote to memory of 652 1476 cmd.exe schtasks.exe PID 1476 wrote to memory of 652 1476 cmd.exe schtasks.exe PID 1476 wrote to memory of 652 1476 cmd.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapitvane marko bulgaria eood.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hjpy.exeC:\Users\Admin\AppData\Roaming\hjpy.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hjpy.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {2B9492B0-9928-4F00-A7FC-B368B14F2A4C} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD597e2ca715247c4337025b994b4c1d06b
SHA183ae2e613f7108ce1f9cb1a5302050400a74ce04
SHA256f31258ce06dc78c8131f45eb6d7bb30d335b451f76d776e0ad25cc8dd993de8d
SHA512f189278923c8b0e590da0b5219e9182fd82bfc548a87e271073353e33bbf55ec650a940a0c2f3e3e5b3c83959ddab6467768b150ef420fe9c98665429b79faf9
-
C:\Users\Admin\AppData\Local\Temp\Cab3BEB.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar4026.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD51e018e56c2af38de9f123a8e26d17d62
SHA1aa1394eb376ed7f7317e8c24202643c175186200
SHA25689d5f36fe4e9db51df01d4ccc68ee60a3cb76bc6bb9ff6861c86d673ff87e30c
SHA512ba07892980539c0198211d963f22ff853d115930a5049f6fded4d797b953d325e82ce1ac3bda6767b4adb71b4014123bda67100c3c93bd5d9ea6491520940e39
-
C:\Users\Admin\AppData\Roaming\hjpy.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\hjpy.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\hjpy.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeFilesize
3.1MB
MD53276d32a0910b570f300254f65d3093f
SHA115b9b0c94b36d8933acc311ec1d0652f1dd153a8
SHA2566bee61fc09ea2d6386cbe135d3070b8b3f6dee1f5e7781b89843528abc7a6a38
SHA51226760f3674f7c72a709b5ac97b45ea4b9e5cd9e9bbbf40ff0d3ca4c2552fbe6ea281ac832f2b7f74e3c9421713cc65a9c89013aba3a65ecce8bf595614db62d5
-
\Users\Admin\AppData\Roaming\hjpy.exeFilesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
memory/588-198-0x00000000045E0000-0x0000000004620000-memory.dmpFilesize
256KB
-
memory/588-185-0x0000000000010000-0x00000000003E4000-memory.dmpFilesize
3.8MB
-
memory/1196-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1440-157-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-201-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-158-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1440-159-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-161-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-165-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-171-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-172-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-173-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-174-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-175-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-176-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-177-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-178-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-179-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-180-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-181-0x0000000000190000-0x000000000019A000-memory.dmpFilesize
40KB
-
memory/1440-182-0x0000000000190000-0x000000000019A000-memory.dmpFilesize
40KB
-
memory/1440-155-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-154-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-153-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-196-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-150-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-199-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-200-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-156-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-202-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-203-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-205-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-206-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-207-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-208-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-209-0x0000000000190000-0x000000000019A000-memory.dmpFilesize
40KB
-
memory/1440-210-0x0000000000190000-0x000000000019A000-memory.dmpFilesize
40KB
-
memory/1440-211-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-152-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-230-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-218-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-220-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-222-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-223-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-224-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-226-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1440-228-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1556-233-0x0000000001060000-0x0000000001434000-memory.dmpFilesize
3.8MB
-
memory/1580-151-0x0000000000ED0000-0x0000000000F10000-memory.dmpFilesize
256KB
-
memory/1580-149-0x0000000001140000-0x0000000001514000-memory.dmpFilesize
3.8MB
-
memory/1720-245-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1720-248-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1912-217-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1912-215-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2044-286-0x0000000001060000-0x0000000001434000-memory.dmpFilesize
3.8MB