Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19-09-2023 16:20
Static task
static1
Behavioral task
behavioral1
Sample
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf
Resource
win10v2004-20230915-en
General
-
Target
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf
-
Size
92KB
-
MD5
87dc64cd0d2d13f4897619c008540bcb
-
SHA1
7f191350095893ebc3e1aa0e9e79dc083961e697
-
SHA256
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0
-
SHA512
09e5d4f84ee2da4306cd4ddc97bebec6071b075e236ef861149daf30ae156d7e0b6f6882926eb7e0f841988424e07d283f505d9de4d91955e1f305961b05b755
-
SSDEEP
768:ewAbZSibMX9gRWjFrOxpo0gcdOSY04ttpVtocQWILLIYGYsTqcmtDU9YHL:ewAlRQKxmidnY04ttpXoeyhGYsVmtYUL
Malware Config
Extracted
xpertrat
3.0.10
STRIGIO
sandshoe.myfirewall.org:5344
I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4
Signatures
-
Processes:
sandshoebnf5783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sandshoebnf5783.exe -
Processes:
sandshoebnf5783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" sandshoebnf5783.exe -
XpertRAT Core payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-44-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4.exe" iexplore.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2164 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
sandshoebnf5783.exesandshoebnf5783.exepid process 2644 sandshoebnf5783.exe 2544 sandshoebnf5783.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2164 EQNEDT32.EXE -
Processes:
sandshoebnf5783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" sandshoebnf5783.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4.exe" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4.exe" iexplore.exe -
Processes:
sandshoebnf5783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sandshoebnf5783.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
sandshoebnf5783.exesandshoebnf5783.exedescription pid process target process PID 2644 set thread context of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2544 set thread context of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 set thread context of 2168 2544 sandshoebnf5783.exe iexplore.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 3004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
sandshoebnf5783.exepid process 2544 sandshoebnf5783.exe 2544 sandshoebnf5783.exe 2544 sandshoebnf5783.exe 2544 sandshoebnf5783.exe 2544 sandshoebnf5783.exe 2544 sandshoebnf5783.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 2168 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEsandshoebnf5783.exeiexplore.exepid process 3004 WINWORD.EXE 3004 WINWORD.EXE 2544 sandshoebnf5783.exe 2168 iexplore.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEsandshoebnf5783.exesandshoebnf5783.exedescription pid process target process PID 2164 wrote to memory of 2644 2164 EQNEDT32.EXE sandshoebnf5783.exe PID 2164 wrote to memory of 2644 2164 EQNEDT32.EXE sandshoebnf5783.exe PID 2164 wrote to memory of 2644 2164 EQNEDT32.EXE sandshoebnf5783.exe PID 2164 wrote to memory of 2644 2164 EQNEDT32.EXE sandshoebnf5783.exe PID 3004 wrote to memory of 2492 3004 WINWORD.EXE splwow64.exe PID 3004 wrote to memory of 2492 3004 WINWORD.EXE splwow64.exe PID 3004 wrote to memory of 2492 3004 WINWORD.EXE splwow64.exe PID 3004 wrote to memory of 2492 3004 WINWORD.EXE splwow64.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2644 wrote to memory of 2544 2644 sandshoebnf5783.exe sandshoebnf5783.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2428 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe PID 2544 wrote to memory of 2168 2544 sandshoebnf5783.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
sandshoebnf5783.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sandshoebnf5783.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe4⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD50a32eb32ad27b80e48efb80408095c8b
SHA16b7e0cca0162f2937ab92f7a81d8e7f298eaf3a6
SHA2563087cd84cfa022fa81bc4366e55930be2d432b54641c2b56c2e3277d9f421210
SHA5120aeb5bc731dc9a258ff73a86b9498a33e1d23cf828936da324433d05623026a31b0eebc0922bffb9a603b45fdee0f7f9c23c756bb17d3c92a75550541ff63262
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exeFilesize
795KB
MD5102dfca73df9a539a34b886349365381
SHA135b90a9ae3dc136502102017c0488c5fc028eae1
SHA25627216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9
SHA5124335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exeFilesize
795KB
MD5102dfca73df9a539a34b886349365381
SHA135b90a9ae3dc136502102017c0488c5fc028eae1
SHA25627216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9
SHA5124335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exeFilesize
795KB
MD5102dfca73df9a539a34b886349365381
SHA135b90a9ae3dc136502102017c0488c5fc028eae1
SHA25627216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9
SHA5124335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316
-
C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exeFilesize
795KB
MD5102dfca73df9a539a34b886349365381
SHA135b90a9ae3dc136502102017c0488c5fc028eae1
SHA25627216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9
SHA5124335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316
-
\Users\Admin\AppData\Roaming\sandshoebnf5783.exeFilesize
795KB
MD5102dfca73df9a539a34b886349365381
SHA135b90a9ae3dc136502102017c0488c5fc028eae1
SHA25627216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9
SHA5124335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316
-
memory/2168-44-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/2544-32-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2544-36-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2544-51-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2544-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2544-30-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2544-28-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2644-41-0x000000006B800000-0x000000006BEEE000-memory.dmpFilesize
6.9MB
-
memory/2644-27-0x0000000005F00000-0x0000000005F6C000-memory.dmpFilesize
432KB
-
memory/2644-24-0x000000006B800000-0x000000006BEEE000-memory.dmpFilesize
6.9MB
-
memory/2644-26-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB
-
memory/2644-22-0x00000000005F0000-0x0000000000608000-memory.dmpFilesize
96KB
-
memory/2644-17-0x0000000000D80000-0x0000000000DC0000-memory.dmpFilesize
256KB
-
memory/2644-15-0x0000000001390000-0x000000000145C000-memory.dmpFilesize
816KB
-
memory/2644-16-0x000000006B800000-0x000000006BEEE000-memory.dmpFilesize
6.9MB
-
memory/3004-23-0x000000007164D000-0x0000000071658000-memory.dmpFilesize
44KB
-
memory/3004-2-0x000000007164D000-0x0000000071658000-memory.dmpFilesize
44KB
-
memory/3004-0-0x000000002F1C1000-0x000000002F1C2000-memory.dmpFilesize
4KB
-
memory/3004-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3004-69-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3004-70-0x000000007164D000-0x0000000071658000-memory.dmpFilesize
44KB