089462a333a00823a7b2b3f06a622107ff50187c1e7c16fa53a0e67202373bdf

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER_Letter.docx
Size

11KB
MD5

4eae6776404bb5c2d7c674f8416d64d0
SHA1

7b6cfd8ee65beb455e48b1163e8b2f96754fbb92
SHA256

089462a333a00823a7b2b3f06a622107ff50187c1e7c16fa53a0e67202373bdf
SHA512

c9391023ec8836a0f2944f120e2a2ea0547d4eb3b52a8cf7aa28dc21927ff3e1af6d7c63d2f07f522519399e5a676614113c7c2e65437eb1e78e6098cb9d6cc9
SSDEEP

192:rya0NzkeOW/4N5eNA2A+EnVs+mg1SoBBJYNO36PvQKx48Y9WcWe8ruP:ryXzkeOW/u5+A2bkBdBBJYNOqPx4Z9W4

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1444	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1052	lawserhgj5784.exe
2360	lawserhgj5784.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	EQNEDT32.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2360	1052	lawserhgj5784.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1444	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1276	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	lawserhgj5784.exe
2360	lawserhgj5784.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	lawserhgj5784.exe
Token: SeShutdownPrivilege	1276	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1276	WINWORD.EXE
1276	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1052	1444	EQNEDT32.EXE	29
PID 1444 wrote to memory of 1052	1444	EQNEDT32.EXE	29
PID 1444 wrote to memory of 1052	1444	EQNEDT32.EXE	29
PID 1444 wrote to memory of 1052	1444	EQNEDT32.EXE	29
PID 1276 wrote to memory of 1792	1276	WINWORD.EXE	35
PID 1276 wrote to memory of 1792	1276	WINWORD.EXE	35
PID 1276 wrote to memory of 1792	1276	WINWORD.EXE	35
PID 1276 wrote to memory of 1792	1276	WINWORD.EXE	35
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36
PID 1052 wrote to memory of 2360	1052	lawserhgj5784.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEW ORDER_Letter.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1792

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe
  "C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe
    "C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
1497b20f9eb4bbc765d580c5d3941574

SHA1
86e771f2491275a16dc614d05e7c8e921bb5bfc5

SHA256
21aabded9114a1030b6b69abfe7743dc54302f3dfb2cf1ecd7959c04ae34d42f

SHA512
8473120ed71c5d52342717b532e5b5e56df20a5ad463607930875b95c0c4022ef7494561f2ae6b618b6fb894beb57162b1f2107e73756f6afc5ab7b2a7699e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BD368E3C-DF0F-40F9-8F76-45FF1335CE9B}.FSD

Filesize
128KB

MD5
8df258d8bd3090c17d8df979016c2c7f

SHA1
8f54ed094bc6a3edd026d7781e9422a462575fc7

SHA256
9e092e0844daddac9bdd7e7b1b371ed34cfc5e4a8daa22e595d7640e6ec4fb10

SHA512
2fc38d0dce32e51fbeeb33e58ec68ab4b6f40c708ae7d93d364c3a015d797402a43dfc66eda1092f6fc59361ee7b01254c91e9908610b0337f94f872e8ef84ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
57287729d8c8eb3a899e19cb77fcd15e

SHA1
be0aadf7a2d1cb12a70b70d2ff73b85932896077

SHA256
8db1c9c33bbf7a0a80dcb918e8fdb36e9fd58df2f503c3a59aea04ef06c84330

SHA512
9ae3f7f8d80ce30f1429e76777cc61bc4f83377837436fc0d3c8df9f4cb11676a90ec66f49ee5e23871993f5e970bdb16c55d8fa4c0cdfa1b7dbfa66a90907d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D67AF006-FBF5-459A-8C7D-686C9CC36E84}.FSD

Filesize
128KB

MD5
7e2b12161bf4c62f4104a345b371923c

SHA1
be218819f92f38ddff2b4ff06aef70f6ced286bc

SHA256
a6daa69a86b12ad73b5356ef95f16b29ed2f4b1366ad19efaaa34cabf69baa68

SHA512
73e0d693a2feb7515ed34d1418c02d1883146f6576cdeb33f8474680cc2b3a91a3950a4af76251dd53dd917c2403c1f602c549177e3f6f0a4e7fad3965d9bdd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEWWZC8O\lawzx[1].doc

Filesize
48KB

MD5
bc89a42094fac06d565983f94cb4fa2a

SHA1
d7a9a95e4a4b3c4a1e60262fece5e041f18c002c

SHA256
ed248657afc15600a6b8e5b9cfa94203f9bfeda0ebd1a3007356e99836adeddf

SHA512
017eea17ae76ddef3d501a1a1eccdd692c7359f08e9d0369307ad539a8324e4a0cf97228d8c82e86d26d48c4316c3460096546f1eb3961b28fe0a1a01fd0a4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E2094CDB-6BD2-4003-A292-DAB38F0B8E70}

Filesize
128KB

MD5
586cae36a6da4495e78fd4524018275c

SHA1
d2856854612a177d979f5e98fca92426b8bd70c4

SHA256
f91696a435f460747f187a44e2ada428dadd01de158c71904da49f4c725eb648

SHA512
b046abb565759ddd04a8cc496329ce90b7094fa83df911a02dde4e58e0cf1cc02a8b33a39363a119bc62527616c976de9d07bff6a251f8e618a0d0f4e47e91e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
28f61f5a7512a97e3b44b5d0cdc3068d

SHA1
edd1875ce6ff3e208007234feee77dc40f44abae

SHA256
829bf0c3ebdba32d35f4443772edf988cf88c0c3b6856c7834a9a47552a58f6e

SHA512
f239e2afc983d39e7d513eb69b563087244283de24e258aa33ce5e369417f4737d0750c8023ce5860b3160eb4b46fac0657737903ccdd04358fdc33bdaa9ed15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe

Filesize
747KB

MD5
f7687a10bf31777ddad97b1d0907bdc6

SHA1
85c1582ebcd476730ec5e098b58078c8d803063d

SHA256
4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

SHA512
05fadaf0c07d13594629be8765ff34d012107045fb61d21c629d6632cc62aa1766a2f2046244b2e9d45f3e34d2e90f7ef6ea11dcf759153a4107fe25d6f535f2

Download Submit
C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe

Filesize
747KB

MD5
f7687a10bf31777ddad97b1d0907bdc6

SHA1
85c1582ebcd476730ec5e098b58078c8d803063d

SHA256
4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

SHA512
05fadaf0c07d13594629be8765ff34d012107045fb61d21c629d6632cc62aa1766a2f2046244b2e9d45f3e34d2e90f7ef6ea11dcf759153a4107fe25d6f535f2

Download Submit
C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe

Filesize
747KB

MD5
f7687a10bf31777ddad97b1d0907bdc6

SHA1
85c1582ebcd476730ec5e098b58078c8d803063d

SHA256
4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

SHA512
05fadaf0c07d13594629be8765ff34d012107045fb61d21c629d6632cc62aa1766a2f2046244b2e9d45f3e34d2e90f7ef6ea11dcf759153a4107fe25d6f535f2

Download Submit
C:\Users\Admin\AppData\Roaming\lawserhgj5784.exe

Filesize
747KB

MD5
f7687a10bf31777ddad97b1d0907bdc6

SHA1
85c1582ebcd476730ec5e098b58078c8d803063d

SHA256
4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

SHA512
05fadaf0c07d13594629be8765ff34d012107045fb61d21c629d6632cc62aa1766a2f2046244b2e9d45f3e34d2e90f7ef6ea11dcf759153a4107fe25d6f535f2

Download Submit
\Users\Admin\AppData\Roaming\lawserhgj5784.exe

Filesize
747KB

MD5
f7687a10bf31777ddad97b1d0907bdc6

SHA1
85c1582ebcd476730ec5e098b58078c8d803063d

SHA256
4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

SHA512
05fadaf0c07d13594629be8765ff34d012107045fb61d21c629d6632cc62aa1766a2f2046244b2e9d45f3e34d2e90f7ef6ea11dcf759153a4107fe25d6f535f2

Download Submit
memory/1052-170-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1052-172-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1052-156-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1052-184-0x000000006B340000-0x000000006BA2E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-166-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1052-150-0x00000000010A0000-0x0000000001160000-memory.dmp

Filesize
768KB

Download
memory/1052-151-0x000000006B340000-0x000000006BA2E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-173-0x0000000008040000-0x00000000080BC000-memory.dmp

Filesize
496KB

Download
memory/1052-169-0x000000006B340000-0x000000006BA2E000-memory.dmp

Filesize
6.9MB

Download
memory/1276-56-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download
memory/1276-168-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download
memory/1276-213-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download
memory/1276-212-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1276-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1276-167-0x000000002F290000-0x000000002F3ED000-memory.dmp

Filesize
1.4MB

Download
memory/1276-54-0x000000002F290000-0x000000002F3ED000-memory.dmp

Filesize
1.4MB

Download
memory/2360-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-179-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-188-0x000000006A810000-0x000000006AEFE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-189-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2360-190-0x000000006A810000-0x000000006AEFE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-191-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2360-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download