7137e863f0c972af8aae99cb8b8743441330952294bf504d4ea175c8381a2892

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Inquiry.docx
Size

10KB
MD5

82f2ab8db7d2ad671478e0a925d99c76
SHA1

c89965df875b405bcf3391d6b057af091ec80010
SHA256

7137e863f0c972af8aae99cb8b8743441330952294bf504d4ea175c8381a2892
SHA512

08ab972ac8a2dde07ae8397857f402c987b01072ad347c216f18fadb4fcfea4da27c35c2e8034acb23bf6190c633475406b355d549a5016cbb93c544814b535b
SSDEEP

192:pya0NXu2QWzARgZVPCK44AG9xXSJ+Ej7jJY1fKw4K5A7WYBcWe3maM2U:pyXXu2QWzANK4499xXSJf7jJYppVYBBx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2712	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 1 IoCs

pid	Process
1748	tonyspeiclaelen587138.exe

Loads dropped DLL 6 IoCs

pid	Process
2712	EQNEDT32.EXE
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	1748	WerFault.exe	29

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2712	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2760	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1748	2712	EQNEDT32.EXE	29
PID 2712 wrote to memory of 1748	2712	EQNEDT32.EXE	29
PID 2712 wrote to memory of 1748	2712	EQNEDT32.EXE	29
PID 2712 wrote to memory of 1748	2712	EQNEDT32.EXE	29
PID 2760 wrote to memory of 484	2760	WINWORD.EXE	35
PID 2760 wrote to memory of 484	2760	WINWORD.EXE	35
PID 2760 wrote to memory of 484	2760	WINWORD.EXE	35
PID 2760 wrote to memory of 484	2760	WINWORD.EXE	35
PID 1748 wrote to memory of 1504	1748	tonyspeiclaelen587138.exe	36
PID 1748 wrote to memory of 1504	1748	tonyspeiclaelen587138.exe	36
PID 1748 wrote to memory of 1504	1748	tonyspeiclaelen587138.exe	36
PID 1748 wrote to memory of 1504	1748	tonyspeiclaelen587138.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inquiry.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:484

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe
  "C:\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 660
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
a673c259e5ed0104d6775ac6ce9e6498

SHA1
324519deb6d6b343cdcf03a1d93db9793c1bc5b8

SHA256
687c398fd7176bbb51927c29d8ff6d3f16f20c6fb11e84a0f6ff3ddbdf3a85f1

SHA512
7bcb9a1f5bb3f9711faf6d92ff1be174d0beedb299d918934b75c18f84f06eabde0932aa4686a03407ac38c8e44f3808fa255a5b8531872fac1009a4cfe96446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5107D47F-1526-4D53-A6DC-966EA60DA5E5}.FSD

Filesize
128KB

MD5
7fb867fb64bf9424c3f3686e34c3c3f7

SHA1
5cdcb00842a3435afc8504c0f8a10f60aa0ef5e1

SHA256
f7c6499a1e08da078cec4eeed14a3e8ba7fa4c1366d26a0d3e739ece029b2e03

SHA512
e8f39852f3fd5a3c7a57ba77312730f7f265e041afb9748ab6f433180d044e0fc663fc8dbe417686c442777cbd285c2b6a26adef592ebf4477e5c17cba3fae5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\tonyspecialzx[1].doc

Filesize
40KB

MD5
3f5e1041a772ab1286cfe8fa8adc136d

SHA1
a7bd3f8edcc840719a16055637871c65e8194d34

SHA256
1709bb50f3d76ef58a47f8b4af7aeff626029e01ab0cbe53936cfe1a79525c54

SHA512
b8f602f3f41e81fc014714e9683a6d56193518d54851df12e428782648eef5b930fd2946192776138753a1c8f9059226caae1c0b2314d715d6c1f379ba016b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A0C0E22-16FC-4A94-95DC-63FAA3A18A93}

Filesize
128KB

MD5
580098a7671f429abc3eae4720ae239f

SHA1
02c23de6fd89beb22aa7c327c39f51eed362f397

SHA256
d4ea14cc82a91d907f500941c7f801b72578fe9ab375bbde0a093eb6516b910c

SHA512
062756f215b93d855d5b39a20531d351bdf210c9e5b4428efdadc2123ab9c477d2c38f3207c40edfd95ac1debca00ed5dde5155b6e620089d3e42b73aa0e4332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
7d1b9c534d6b6255289bb708f9495137

SHA1
9fc7b4e4bf2213535e743dbd1617244d0df60880

SHA256
6ab6bbfa370cccba0b94a55611a96a6bb276beaf8b0973d3b32fc09b1f9fcee6

SHA512
39863b6ac82dbfd4953236cdfd01665304e5cab639fbd2880e8da5d613e15a57b5943262ed5e6c70faa9d225bdcd72b060d31e18880bf0572f85826c304fb03b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
C:\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
C:\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
\Users\Admin\AppData\Roaming\tonyspeiclaelen587138.exe

Filesize
612KB

MD5
16db425be9bad426da8885521e42ac5b

SHA1
e6cab88d6bc7c0e62b9fbc94c3cd4c780224f49d

SHA256
6a1199521d9590a15689f05f34a81edac516fcc592dba18927b8adde0fe07cd1

SHA512
adaabb1653aff188248fa5c2fc2c4c56345d72b1e52b346b04d9a68c178471088f65cd86a5bdedf92774ee783f43f605b35bfc1f57e801e8391bff6bc9d8a4a8

Download Submit
memory/1748-169-0x000000006A520000-0x000000006AC0E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-150-0x00000000008F0000-0x000000000098E000-memory.dmp

Filesize
632KB

Download
memory/1748-151-0x000000006A520000-0x000000006AC0E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-156-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1748-170-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1748-172-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1748-166-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2760-56-0x0000000070C4D000-0x0000000070C58000-memory.dmp

Filesize
44KB

Download
memory/2760-54-0x000000002FC70000-0x000000002FDCD000-memory.dmp

Filesize
1.4MB

Download
memory/2760-168-0x0000000070C4D000-0x0000000070C58000-memory.dmp

Filesize
44KB

Download
memory/2760-167-0x000000002FC70000-0x000000002FDCD000-memory.dmp

Filesize
1.4MB

Download
memory/2760-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-201-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-202-0x0000000070C4D000-0x0000000070C58000-memory.dmp

Filesize
44KB

Download