056423487d9c1640e5a94f843a5068f537fdaeac6cffd6225eb7d34c0b27434b

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE-678738.rtf
Size

70KB
MD5

a9873a6bbc2bca4b14f3cf211d0fb231
SHA1

9aa9e1a85595fe3733b276196f2052c0bdc0e470
SHA256

056423487d9c1640e5a94f843a5068f537fdaeac6cffd6225eb7d34c0b27434b
SHA512

d482cf0a1e7123ae3c6a1fb43d8509304c65dedf187c55858b28abfe9586964f7363b15e391498346a9bc4979e88ac3bb561119a413174359cf778f382b9fc72
SSDEEP

1536:BwAlRmlZYFfZ8PZOGdOX/XLGfaiVb5xtjvFsu3AZsyatxFO5O5889jnhjE6VLnUu:BwAlUZYFfeBOGOv7Gfailtj9suOsyath

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	748	2188	raserver.exe	27

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2440	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2808	ghostm47568.exe
2592	ghostm47568.exe
2204	ghostm47568.exe

Loads dropped DLL 3 IoCs

pid	Process
2440	EQNEDT32.EXE
2440	EQNEDT32.EXE
748	raserver.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2204	2808	ghostm47568.exe	36
PID 2204 set thread context of 2188	2204	ghostm47568.exe	27
PID 2204 set thread context of 748	2204	ghostm47568.exe	37
PID 748 set thread context of 2188	748	raserver.exe	27

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2440	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3408354897-1169622894-3874090110-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2188	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2808	ghostm47568.exe
2808	ghostm47568.exe
2204	ghostm47568.exe
2204	ghostm47568.exe
2204	ghostm47568.exe
2204	ghostm47568.exe
748	raserver.exe
748	raserver.exe
748	raserver.exe
748	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2204	ghostm47568.exe
2188	WINWORD.EXE
2188	WINWORD.EXE
748	raserver.exe
748	raserver.exe
748	raserver.exe
748	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	ghostm47568.exe
Token: SeDebugPrivilege	2204	ghostm47568.exe
Token: SeDebugPrivilege	748	raserver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2188	WINWORD.EXE
2188	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2808	2440	EQNEDT32.EXE	29
PID 2440 wrote to memory of 2808	2440	EQNEDT32.EXE	29
PID 2440 wrote to memory of 2808	2440	EQNEDT32.EXE	29
PID 2440 wrote to memory of 2808	2440	EQNEDT32.EXE	29
PID 2188 wrote to memory of 2680	2188	WINWORD.EXE	34
PID 2188 wrote to memory of 2680	2188	WINWORD.EXE	34
PID 2188 wrote to memory of 2680	2188	WINWORD.EXE	34
PID 2188 wrote to memory of 2680	2188	WINWORD.EXE	34
PID 2808 wrote to memory of 2592	2808	ghostm47568.exe	35
PID 2808 wrote to memory of 2592	2808	ghostm47568.exe	35
PID 2808 wrote to memory of 2592	2808	ghostm47568.exe	35
PID 2808 wrote to memory of 2592	2808	ghostm47568.exe	35
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2808 wrote to memory of 2204	2808	ghostm47568.exe	36
PID 2188 wrote to memory of 748	2188	WINWORD.EXE	37
PID 2188 wrote to memory of 748	2188	WINWORD.EXE	37
PID 2188 wrote to memory of 748	2188	WINWORD.EXE	37
PID 2188 wrote to memory of 748	2188	WINWORD.EXE	37
PID 748 wrote to memory of 2080	748	raserver.exe	39
PID 748 wrote to memory of 2080	748	raserver.exe	39
PID 748 wrote to memory of 2080	748	raserver.exe	39
PID 748 wrote to memory of 2080	748	raserver.exe	39
PID 748 wrote to memory of 2080	748	raserver.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE-678738.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2680
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2080

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\ghostm47568.exe
  "C:\Users\Admin\AppData\Roaming\ghostm47568.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Roaming\ghostm47568.exe
    "C:\Users\Admin\AppData\Roaming\ghostm47568.exe"
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Users\Admin\AppData\Roaming\ghostm47568.exe
    "C:\Users\Admin\AppData\Roaming\ghostm47568.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gjeljf_.zip

Filesize
444KB

MD5
d71848944418c67f6eb230682f9a969a

SHA1
11d37a0eccbaf9995c6b236ff1a99d174a2566bd

SHA256
efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e

SHA512
7baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c07201333823dd9a69b63ccb751167eb

SHA1
cb41aa0e42e4fc0eb1962cebdf300162fb32c66f

SHA256
6067456ac7dd50dbb455058cfd8adf1ae42b8e7bfed2f6735d3dc8629b7e19fd

SHA512
e4f27151eea557dc10380cf0781f31a7910ea6ef12f77137dd3b8ab02b9826d8a67fbe5ab610ffc125c7be5313a9891ee3649108b926ed04d732a445570c649a

Download Submit
C:\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
C:\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
C:\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
C:\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
C:\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
\Users\Admin\AppData\Roaming\ghostm47568.exe

Filesize
761KB

MD5
a32ef83808036941c73fb567a2a63a43

SHA1
20d735d51b1d9397a69957c20ef54b3f67b97d8f

SHA256
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f

SHA512
c8b44ae2fd118b060c61c924970952f3a5ede3cc9341649b316aac97161a0db5ab61f3a320f0bf72b54d46386518f72d765d3959320ab209b565f04104045d1e

Download Submit
memory/748-98-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/748-54-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/748-49-0x0000000001E80000-0x0000000002183000-memory.dmp

Filesize
3.0MB

Download
memory/748-46-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/748-48-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/748-96-0x0000000002190000-0x0000000002221000-memory.dmp

Filesize
580KB

Download
memory/748-50-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/2188-2-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/2188-55-0x0000000006390000-0x0000000006497000-memory.dmp

Filesize
1.0MB

Download
memory/2188-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-119-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/2188-53-0x0000000006390000-0x0000000006497000-memory.dmp

Filesize
1.0MB

Download
memory/2188-0-0x000000002FA30000-0x000000002FB8D000-memory.dmp

Filesize
1.4MB

Download
memory/2188-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-52-0x0000000006390000-0x0000000006497000-memory.dmp

Filesize
1.0MB

Download
memory/2188-51-0x00000000066C0000-0x0000000006C3D000-memory.dmp

Filesize
5.5MB

Download
memory/2188-118-0x0000000006390000-0x0000000006497000-memory.dmp

Filesize
1.0MB

Download
memory/2188-45-0x00000000066C0000-0x0000000006C3D000-memory.dmp

Filesize
5.5MB

Download
memory/2188-27-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/2188-26-0x000000002FA30000-0x000000002FB8D000-memory.dmp

Filesize
1.4MB

Download
memory/2204-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-44-0x0000000000780000-0x0000000000A83000-memory.dmp

Filesize
3.0MB

Download
memory/2204-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-33-0x0000000004FE0000-0x0000000005054000-memory.dmp

Filesize
464KB

Download
memory/2808-43-0x000000006BA40000-0x000000006C12E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-32-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2808-31-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2808-29-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2808-28-0x000000006BA40000-0x000000006C12E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-25-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/2808-20-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2808-19-0x000000006BA40000-0x000000006C12E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-18-0x0000000001340000-0x0000000001404000-memory.dmp

Filesize
784KB

Download