ae3bc9f972947dbad44ec70d3d5aa55cce92a10bd87bed17004da72b800a0c67

Resubmissions

17/04/2023, 11:12

230417-naxbpsdh25 10

17/04/2023, 11:06

230417-m7mcbsdg96 10

Analysis

max time kernel
296s
max time network
300s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/04/2023, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(RFQ) – 14000102697.rtf
Size

37KB
MD5

17be8aa282a9714f7e11bc6a7b453f81
SHA1

745cc223e837bc41a8bacb09c7d12ce246042fe4
SHA256

ae3bc9f972947dbad44ec70d3d5aa55cce92a10bd87bed17004da72b800a0c67
SHA512

5e671ebf0769f03f7bbec062797a37aed18a3e3a257ce8b4c0aa53f7065011a71eea63d5556a9de99723b8e08cc4571c36b79e71034e3d6d6c43e236a4617a83
SSDEEP

768:wFx0XaIsnPRIa4fwJMAcErwPkegfqqOva9MSYlR74E+60WdFJBHDpZ:wf0Xvx3EMAcEraqOvabYlIcdFJ1tZ

Score

10^/10

spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1732	1676	autoconv.exe	25
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1820	1676	cscript.exe	25

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	464	EQNEDT32.EXE
9	1820	cscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation	maxoysj4762.exe

Executes dropped EXE 2 IoCs

pid	Process
904	maxoysj4762.exe
1848	maxoysj4762.exe

Loads dropped DLL 2 IoCs

pid	Process
464	EQNEDT32.EXE
1820	cscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 904 set thread context of 1848	904	maxoysj4762.exe	33
PID 1848 set thread context of 1676	1848	maxoysj4762.exe	25
PID 1820 set thread context of 1272	1820	cscript.exe	15

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
464	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1676	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1848	maxoysj4762.exe
1848	maxoysj4762.exe
1848	maxoysj4762.exe
1848	maxoysj4762.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1848	maxoysj4762.exe
1848	maxoysj4762.exe
1848	maxoysj4762.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe
1820	cscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	maxoysj4762.exe
Token: SeDebugPrivilege	1820	cscript.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1676	WINWORD.EXE
1676	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 904	464	EQNEDT32.EXE	29
PID 464 wrote to memory of 904	464	EQNEDT32.EXE	29
PID 464 wrote to memory of 904	464	EQNEDT32.EXE	29
PID 464 wrote to memory of 904	464	EQNEDT32.EXE	29
PID 1676 wrote to memory of 976	1676	WINWORD.EXE	32
PID 1676 wrote to memory of 976	1676	WINWORD.EXE	32
PID 1676 wrote to memory of 976	1676	WINWORD.EXE	32
PID 1676 wrote to memory of 976	1676	WINWORD.EXE	32
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 904 wrote to memory of 1848	904	maxoysj4762.exe	33
PID 1676 wrote to memory of 1820	1676	WINWORD.EXE	35
PID 1676 wrote to memory of 1820	1676	WINWORD.EXE	35
PID 1676 wrote to memory of 1820	1676	WINWORD.EXE	35
PID 1676 wrote to memory of 1820	1676	WINWORD.EXE	35
PID 1820 wrote to memory of 964	1820	cscript.exe	36
PID 1820 wrote to memory of 964	1820	cscript.exe	36
PID 1820 wrote to memory of 964	1820	cscript.exe	36
PID 1820 wrote to memory of 964	1820	cscript.exe	36
PID 1820 wrote to memory of 964	1820	cscript.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1272
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\(RFQ) – 14000102697.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:976
- - C:\Windows\SysWOW64\autoconv.exe
    "C:\Windows\SysWOW64\autoconv.exe"
    3⤵
    - Process spawned unexpected child process
    PID:1732
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\SysWOW64\cscript.exe"
    3⤵
    - Process spawned unexpected child process
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:964

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Roaming\maxoysj4762.exe
  "C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Roaming\maxoysj4762.exe
    "C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dnflz.zip

Filesize
553KB

MD5
5e2d04cb2fae4e811ca35675c472f5fc

SHA1
6e2359f8e81f1a1122d1fb50b064878f2aaefc68

SHA256
dd46a298ab90ca9ba8a1f633f20abe2dcb805596b5aa68dcb84cce99e3a56be1

SHA512
53c8701768ee4a43a6b2095af00aa5f2c53445021a91d3567d02cf8157c7b7c4e629c5c70bb24697d365a7c41c791af0c68b511ab3cf5f356d9d929618421d05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
d18b3b3d0e7165f536c8686364900204

SHA1
7f29cbae3271e278e2b1bae7d64cf8c66322e85c

SHA256
bbb7e1fe1b937fa813be56126738740cd27a4a7459a3764f630899c8e01b89a7

SHA512
86e82c461a2adce8c7898ac447a0409c5714dac6f4f8876ba56b37a83e7ec1e4d43ec9d0b612bb409eadd2dc2dd7f6461da792b825ffd6cd5d5105398e721d3a

Download Submit
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe

Filesize
585KB

MD5
d6bf1f473ce21610f125492e27d1a4e4

SHA1
c51444cd94cbfb2f955f555feac4512ed7ef33d1

SHA256
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

SHA512
80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

Download Submit
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe

Filesize
585KB

MD5
d6bf1f473ce21610f125492e27d1a4e4

SHA1
c51444cd94cbfb2f955f555feac4512ed7ef33d1

SHA256
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

SHA512
80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

Download Submit
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe

Filesize
585KB

MD5
d6bf1f473ce21610f125492e27d1a4e4

SHA1
c51444cd94cbfb2f955f555feac4512ed7ef33d1

SHA256
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

SHA512
80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

Download Submit
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe

Filesize
585KB

MD5
d6bf1f473ce21610f125492e27d1a4e4

SHA1
c51444cd94cbfb2f955f555feac4512ed7ef33d1

SHA256
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

SHA512
80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
\Users\Admin\AppData\Roaming\maxoysj4762.exe

Filesize
585KB

MD5
d6bf1f473ce21610f125492e27d1a4e4

SHA1
c51444cd94cbfb2f955f555feac4512ed7ef33d1

SHA256
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca

SHA512
80bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74

Download Submit
memory/904-74-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/904-76-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/904-77-0x0000000005080000-0x00000000050F0000-memory.dmp

Filesize
448KB

Download
memory/904-78-0x00000000009A0000-0x00000000009D8000-memory.dmp

Filesize
224KB

Download
memory/904-67-0x0000000000FF0000-0x0000000001088000-memory.dmp

Filesize
608KB

Download
memory/904-72-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/904-73-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1272-160-0x0000000004D60000-0x0000000004E0E000-memory.dmp

Filesize
696KB

Download
memory/1272-101-0x0000000004D60000-0x0000000004E0E000-memory.dmp

Filesize
696KB

Download
memory/1676-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1676-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1676-86-0x0000000006410000-0x00000000064F7000-memory.dmp

Filesize
924KB

Download
memory/1820-88-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/1820-87-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/1820-89-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1820-90-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1820-91-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/1820-93-0x00000000022B0000-0x000000000233F000-memory.dmp

Filesize
572KB

Download
memory/1820-162-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1848-85-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1848-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1848-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download