3f64540878afa068e4bc7de3af3d3b48c0aa767e6e7ec94f9179b3cdd9768ac5

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE-9730015.docx
Size

11KB
MD5

86cf81e87b56f308ce6f4c88a1066415
SHA1

d690c7e0067766162a9bb085ab510be2836d2074
SHA256

3f64540878afa068e4bc7de3af3d3b48c0aa767e6e7ec94f9179b3cdd9768ac5
SHA512

9c72f7ce5503674e55cf133fee6c5d4dfd2e2619bc80f081394943ba509f43ac3918b7e69c5de78ba512323e567abbc25a1bca692865ce0fb3712c3d8bb96769
SSDEEP

192:9Eya0NRfX9i7jWoj4N5eNA2A+EnVs+mg1SoB8NJY6TO36PvUwKzQaUCaY9pFcWex:SyXRfkPWku5+A2bkBdBGJYuOqPqQc9zE

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2192	2296	wininit.exe	27

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2920	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2912	ghostdh476528.exe
2120	ghostdh476528.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	EQNEDT32.EXE
2192	wininit.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2120	2912	ghostdh476528.exe	36
PID 2120 set thread context of 2296	2120	ghostdh476528.exe	27
PID 2120 set thread context of 2192	2120	ghostdh476528.exe	37
PID 2192 set thread context of 2296	2192	wininit.exe	27

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2920	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1014134971-2480516131-292343513-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2296	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2120	ghostdh476528.exe
2120	ghostdh476528.exe
2120	ghostdh476528.exe
2120	ghostdh476528.exe
2192	wininit.exe
2192	wininit.exe
2192	wininit.exe
2192	wininit.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2120	ghostdh476528.exe
2296	WINWORD.EXE
2296	WINWORD.EXE
2192	wininit.exe
2192	wininit.exe
2192	wininit.exe
2192	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	ghostdh476528.exe
Token: SeDebugPrivilege	2192	wininit.exe
Token: SeShutdownPrivilege	2296	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2296	WINWORD.EXE
2296	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2912	2920	EQNEDT32.EXE	32
PID 2920 wrote to memory of 2912	2920	EQNEDT32.EXE	32
PID 2920 wrote to memory of 2912	2920	EQNEDT32.EXE	32
PID 2920 wrote to memory of 2912	2920	EQNEDT32.EXE	32
PID 2296 wrote to memory of 1832	2296	WINWORD.EXE	35
PID 2296 wrote to memory of 1832	2296	WINWORD.EXE	35
PID 2296 wrote to memory of 1832	2296	WINWORD.EXE	35
PID 2296 wrote to memory of 1832	2296	WINWORD.EXE	35
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2912 wrote to memory of 2120	2912	ghostdh476528.exe	36
PID 2296 wrote to memory of 2192	2296	WINWORD.EXE	37
PID 2296 wrote to memory of 2192	2296	WINWORD.EXE	37
PID 2296 wrote to memory of 2192	2296	WINWORD.EXE	37
PID 2296 wrote to memory of 2192	2296	WINWORD.EXE	37
PID 2192 wrote to memory of 280	2192	wininit.exe	38
PID 2192 wrote to memory of 280	2192	wininit.exe	38
PID 2192 wrote to memory of 280	2192	wininit.exe	38
PID 2192 wrote to memory of 280	2192	wininit.exe	38
PID 2192 wrote to memory of 280	2192	wininit.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE-9730015.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1832
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:280

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Roaming\ghostdh476528.exe
  "C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\ghostdh476528.exe
    "C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AF869B27-F385-40EA-B318-C1B1F37F7320}.FSD

Filesize
128KB

MD5
4c6b682b2d799914cd4eeaf3b1a6e736

SHA1
87cafcd56c83e59cc917969cf861ec564023dc60

SHA256
17e8b884f9c776e54fa93763370fe94cc5b77b46d7fdf25d74c8d3fccf5a7f2b

SHA512
c1e405d2d58be8e600df6746663cef8628cb9e5ed3cd491275fa6fd0296c5009b3ed79ae23e01d58e2acf6024210e5aae64c54d4f810e7e3b0ff4dbbc2f56ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
d35cd6260df398f49fccdd9d0c97c470

SHA1
b967e1b05c6e0d4035a2af78956ce657f39ae0a1

SHA256
f4c7041916bfc4452007a6ba3b862d0c289463b6aa19c18484e15f74d25a2cc9

SHA512
bbd0516f5fc777fd9b117c5fd0525ab0a44e6c2da5773a6a3ccd6055e6d5939623fbcd4bd450e8edae181b5617b5cee9b1f61c85f7793c75367d6a2bd25eceb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{86A1E92E-36AD-42A4-9A9D-30F5B510C826}.FSD

Filesize
128KB

MD5
145f257cd19508a565693b2e916fe790

SHA1
3cd5eb57b41be3e442c4d4331ecd6a2b658c36af

SHA256
fb5692ce5ac796ebde379088440fc3de5f7164f025ee0cbc969abbb966506834

SHA512
830fb46a39ef56c7c1273331c2178c5080543571a23182a3f82e6015f22a1eb09ef3fe5268beaba05429c1698306fcd604cf1666d596f4218f91bc39653acd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AJTUMOT\ghostzx[1].doc

Filesize
92KB

MD5
e6ec31abd924dd83e5829624c8400bfe

SHA1
02063a4750762b451c9c7b801858ca45fb26a4aa

SHA256
8eb67d4db341e3c1a2494e6cd111add9599850f62f65818dfd9f8f45aa49d257

SHA512
a25bf31d29e61a0ac04e28f9e2ea00f23914fe4a412fe70e413f66cb8305928266ba6f97e3a4c09fa074f028ee6ccf0f681e113fc185efe196d93c19bce22e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbjlq88.zip

Filesize
431KB

MD5
fa9b7c190006303eecddffa019d0be06

SHA1
a97cebc176b3daa453189f2c0b7cf2a5a70f9c92

SHA256
dc7f8b3493543dc086cb43b66401893597f993408f18b437e5c8e8b5544db0bf

SHA512
4c293ef052a14f7527aa42d451ba5f4cfdf7fb7203f583eda34ef24f4a2fd13975553c432a9354a0f8c1de924b0c29a819bd34c7aaa03b642372496a75be0532

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D194F776-B06D-4535-8FEF-7342DBBFD576}

Filesize
128KB

MD5
99b02272237d880936ff0f3fd9b5e43f

SHA1
a0ebfb1a0e06d00ac226d5b6f571bceb2744ea3d

SHA256
a1c2e0cb35e671ad043e635bd58cae1c6a4e2c3b54a618e53479b063ceee45b0

SHA512
7f97bdc5eccd804bd106216d72f583e4dac23b1501be9a19283ec62e875e0dd05493a71b4a56163f65a3fa64310855d3e647b97d0b05612d2eb8d4b3a9cf60fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
4a5cde52b12ca4729c246f2d2f032319

SHA1
25acbc40d981fc86996bdbab3c0ec7fc57ef4118

SHA256
5be9343fcaa0ccf4c13acec89b0eb4f16b8ca80429680cd8e99e05955fe3fa26

SHA512
0742f2cdeb6a25d5cabe44af8cd89f93c7b7212f24cb6db5ec5f7bf2751751b62054568e556cc3c5806758f0dfb927d9245e5d92ec246eeab938ddad115b866f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe

Filesize
675KB

MD5
ec2cc8690bf6aa4e900fd060b7d2d823

SHA1
da5385395718f40d9495fdc46b2849faa9716c9d

SHA256
777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0

SHA512
709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f

Download Submit
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe

Filesize
675KB

MD5
ec2cc8690bf6aa4e900fd060b7d2d823

SHA1
da5385395718f40d9495fdc46b2849faa9716c9d

SHA256
777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0

SHA512
709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f

Download Submit
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe

Filesize
675KB

MD5
ec2cc8690bf6aa4e900fd060b7d2d823

SHA1
da5385395718f40d9495fdc46b2849faa9716c9d

SHA256
777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0

SHA512
709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f

Download Submit
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe

Filesize
675KB

MD5
ec2cc8690bf6aa4e900fd060b7d2d823

SHA1
da5385395718f40d9495fdc46b2849faa9716c9d

SHA256
777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0

SHA512
709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
825KB

MD5
00a91261929192a7facc32a9f330029a

SHA1
7df4ffdf48a6df0bac21a82d6db56aa11db470dc

SHA256
c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f

SHA512
18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

Download Submit
\Users\Admin\AppData\Roaming\ghostdh476528.exe

Filesize
675KB

MD5
ec2cc8690bf6aa4e900fd060b7d2d823

SHA1
da5385395718f40d9495fdc46b2849faa9716c9d

SHA256
777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0

SHA512
709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f

Download Submit
memory/2120-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-180-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/2120-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-175-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2120-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-187-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/2192-183-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/2192-236-0x0000000000A60000-0x0000000000AF1000-memory.dmp

Filesize
580KB

Download
memory/2192-234-0x0000000000A60000-0x0000000000AF1000-memory.dmp

Filesize
580KB

Download
memory/2192-233-0x0000000061E00000-0x0000000061EBC000-memory.dmp

Filesize
752KB

Download
memory/2192-191-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/2192-186-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download
memory/2192-184-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/2296-55-0x000000007175D000-0x0000000071768000-memory.dmp

Filesize
44KB

Download
memory/2296-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-155-0x000000002FAC0000-0x000000002FC1D000-memory.dmp

Filesize
1.4MB

Download
memory/2296-259-0x000000007175D000-0x0000000071768000-memory.dmp

Filesize
44KB

Download
memory/2296-258-0x0000000005C20000-0x0000000005D14000-memory.dmp

Filesize
976KB

Download
memory/2296-257-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-157-0x000000007175D000-0x0000000071768000-memory.dmp

Filesize
44KB

Download
memory/2296-53-0x000000002FAC0000-0x000000002FC1D000-memory.dmp

Filesize
1.4MB

Download
memory/2296-188-0x00000000093B0000-0x000000000A3F5000-memory.dmp

Filesize
16.3MB

Download
memory/2296-189-0x0000000005C20000-0x0000000005D14000-memory.dmp

Filesize
976KB

Download
memory/2296-190-0x0000000005C20000-0x0000000005D14000-memory.dmp

Filesize
976KB

Download
memory/2296-181-0x00000000093B0000-0x000000000A3F5000-memory.dmp

Filesize
16.3MB

Download
memory/2296-192-0x0000000005C20000-0x0000000005D14000-memory.dmp

Filesize
976KB

Download
memory/2912-158-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2912-172-0x0000000007F80000-0x0000000007FF6000-memory.dmp

Filesize
472KB

Download
memory/2912-168-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-169-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2912-171-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2912-148-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-150-0x0000000000980000-0x0000000000A30000-memory.dmp

Filesize
704KB

Download
memory/2912-179-0x000000006AFC0000-0x000000006B6AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-156-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download