4f2342043956b27f27d21ff46c0465c3802d1ea5a436fe476600237d773aadce

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4F2342043956B27F27D21FF46C0465C3802D1EA5A436FE476600237D773AADCE.rtf
Size

1.0MB
MD5

b1094adeba03f252490d5226899ea934
SHA1

55d1bdbfef9e9fc7e6e9d96e932ee8caec9f30fa
SHA256

4f2342043956b27f27d21ff46c0465c3802d1ea5a436fe476600237d773aadce
SHA512

e2c999d5eb78bfca6ebab1c37c93a658c092f8c0581cbe35fccfd5c0e32ab67a83f9a3f77b86be43430cab3a9f6679ac0201e95ae33b77d78f92842c303bd6d3
SSDEEP

24576:MVhHKKpy07FzpRrpMvQ4N4ZSV22EIQRdlWUa+cGIC0Pry3GeA4:u

Score

1^/10

Malware Config

Signatures

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
860	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4F2342043956B27F27D21FF46C0465C3802D1EA5A436FE476600237D773AADCE.rtf"
1⤵
- Modifies Internet Explorer settings
PID:1212
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2036

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad870a11e6301bfc0045e0fbcdaa0ac0

SHA1
3b1ecedf56dc25fcb0d1178b28dd2af9e707589c

SHA256
d2150a1eb19502fc29fecf5b39da03986e5b4c3672a95a9525aeb313348c597c

SHA512
e11fe1623e7adf65f98ab4d95a12a40533eb8aa1ad493a495a0906ea9c8a02a9bb66ae154e0ba2f05a3276d899a2c41bb06f34b3a8478dce137ac27201d80668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F06.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4084.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f714b86b62b0fe90ac24c8582b87683c

SHA1
09d0db3531ffcccde5a94f293c85d7f167d6f3fc

SHA256
3e4b7c77a2ff3d47cd0e61373218d22a4f1b9b960391f49a04515092dfb027a9

SHA512
e5ed7c85e12164c4576e19f452e6cf2d9b0ee492446327328dd13ea88471563a77ebfd1d82c3567854c01c3fb3abfbf7d158f1baef5d002996fcff430a96edc1

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
84KB

MD5
bff245445fb3bb87cd2c39924070a9de

SHA1
ecfb960c7ba3168f824e73261f220255c9e2cdcc

SHA256
ae7a78a1562693d181303e0231f2edf1724a78a703940da6caba64abff52016d

SHA512
f7c8952924ab27eba5438b86917165419bbf781bed0a2703108603c39d1618a91cf1b7b057de71ecad440bb78cd2874cadeb8ac03cc8adb3c186c192a6388038

Download Submit
memory/1212-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1212-187-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download