warzonerat | 3077eb11b2b577d6d22fe5efaa8728192132a62a821dfe81af9f5626091c84b9

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO100223-JORDANARMOTIVE-REQUEST FOR QUOTE.rtf
Size

3KB
MD5

a987537f359de9010905273f3d1bac6a
SHA1

6dcc57cd338b5e3ebe59dbb8b5167ad9a4e21b7e
SHA256

3077eb11b2b577d6d22fe5efaa8728192132a62a821dfe81af9f5626091c84b9
SHA512

8e58e054234b4cf722037c00b5bed9e9aaac296481fc20849eccf075c41668575579ad1fdd41e623d04f31e34a612caffc9f98abaa9ed37082151b303f09d39e

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

osiarus.duckdns.org:4244

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2608-26-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2608-29-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2608-30-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2608-37-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2140	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2604	word.exe
2648	kdnrm.exe
2608	kdnrm.exe

Loads dropped DLL 3 IoCs

pid	Process
2140	EQNEDT32.EXE
2604	word.exe
2648	kdnrm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhhdmmvrrbwwgp = "C:\\Users\\Admin\\AppData\\Roaming\\cllhq\\qavvfooksso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kdnrm.exe\" "	kdnrm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2608	2648	kdnrm.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2140	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2944	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2648	kdnrm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	WINWORD.EXE
2944	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2604	2140	EQNEDT32.EXE	29
PID 2140 wrote to memory of 2604	2140	EQNEDT32.EXE	29
PID 2140 wrote to memory of 2604	2140	EQNEDT32.EXE	29
PID 2140 wrote to memory of 2604	2140	EQNEDT32.EXE	29
PID 2604 wrote to memory of 2648	2604	word.exe	30
PID 2604 wrote to memory of 2648	2604	word.exe	30
PID 2604 wrote to memory of 2648	2604	word.exe	30
PID 2604 wrote to memory of 2648	2604	word.exe	30
PID 2648 wrote to memory of 2608	2648	kdnrm.exe	33
PID 2648 wrote to memory of 2608	2648	kdnrm.exe	33
PID 2648 wrote to memory of 2608	2648	kdnrm.exe	33
PID 2648 wrote to memory of 2608	2648	kdnrm.exe	33
PID 2648 wrote to memory of 2608	2648	kdnrm.exe	33
PID 2944 wrote to memory of 1064	2944	WINWORD.EXE	35
PID 2944 wrote to memory of 1064	2944	WINWORD.EXE	35
PID 2944 wrote to memory of 1064	2944	WINWORD.EXE	35
PID 2944 wrote to memory of 1064	2944	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO100223-JORDANARMOTIVE-REQUEST FOR QUOTE.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1064

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\kdnrm.exe
    "C:\Users\Admin\AppData\Local\Temp\kdnrm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\kdnrm.exe
      "C:\Users\Admin\AppData\Local\Temp\kdnrm.exe"
      4⤵
      Executes dropped EXE
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdnrm.exe

Filesize
228KB

MD5
01413f955fba04a77046e285a07e47da

SHA1
212f2e29738be816c5d96fab2d2655edef619334

SHA256
3e5c8d0dd2be1d0408f66fa04105cb09dac7aaee574767b537d8916fffdc0b02

SHA512
410554a574546f3d974510a7220b67c51b3d73c7c7e11c84c3eb7966fb9ecba35f2634b70568d3c180f1da82dac69c80aaa5a648c6c28111c835232833bf0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdnrm.exe

Filesize
228KB

MD5
01413f955fba04a77046e285a07e47da

SHA1
212f2e29738be816c5d96fab2d2655edef619334

SHA256
3e5c8d0dd2be1d0408f66fa04105cb09dac7aaee574767b537d8916fffdc0b02

SHA512
410554a574546f3d974510a7220b67c51b3d73c7c7e11c84c3eb7966fb9ecba35f2634b70568d3c180f1da82dac69c80aaa5a648c6c28111c835232833bf0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdnrm.exe

Filesize
228KB

MD5
01413f955fba04a77046e285a07e47da

SHA1
212f2e29738be816c5d96fab2d2655edef619334

SHA256
3e5c8d0dd2be1d0408f66fa04105cb09dac7aaee574767b537d8916fffdc0b02

SHA512
410554a574546f3d974510a7220b67c51b3d73c7c7e11c84c3eb7966fb9ecba35f2634b70568d3c180f1da82dac69c80aaa5a648c6c28111c835232833bf0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlikc.lf

Filesize
118KB

MD5
c515acd40b1269fb3f969642b0d6d2ee

SHA1
ee55d175cf7476d34be955f289fc42c9bcb33df3

SHA256
3d8fd33fa1762b17e92e0e53c2782ba29df0a6b67954dacb04704e406fead144

SHA512
1fbf46fda41747217dca8b9391d5f91d287e81b80f02fb54a7bcf2349fb9a5de773cfb821db15bd89b9102c878dbc274ee7c9914b73182028088535920e10c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
85af48a999db2557253ea16dde626cf3

SHA1
49d8d1ebfd674112951e2db2dacf081e4b6f318f

SHA256
ffc0c7303892a74a729573f5867c0915fa9f0daa86aef91ae4dfd18c7751e511

SHA512
b6aedccd9b33ba385192b780beee4ebb3e1d74b1ac52667ec0731ccb18241d2ac0679e93487ab681936dfe944b8163c86a6bca34fc81625051f46e556c2c7421

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
275KB

MD5
a8dcae0690c61f8517b877b5191fc388

SHA1
c5916585a6c57343a13f70e17d9ce9161aa1eb33

SHA256
d5845fb6e5fb97ed020ef7affac7dbc381c53b12c8c223fd5f657795bd6bdea3

SHA512
2eb8b38c16d45234d66fb7171056d62a585396b7f6bcc2728c53b095b28a6fae80fbcd1b781ef7ad18bfae3783a7dd235e391cdc78dfd7924cc5e44d957d837a

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
275KB

MD5
a8dcae0690c61f8517b877b5191fc388

SHA1
c5916585a6c57343a13f70e17d9ce9161aa1eb33

SHA256
d5845fb6e5fb97ed020ef7affac7dbc381c53b12c8c223fd5f657795bd6bdea3

SHA512
2eb8b38c16d45234d66fb7171056d62a585396b7f6bcc2728c53b095b28a6fae80fbcd1b781ef7ad18bfae3783a7dd235e391cdc78dfd7924cc5e44d957d837a

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
275KB

MD5
a8dcae0690c61f8517b877b5191fc388

SHA1
c5916585a6c57343a13f70e17d9ce9161aa1eb33

SHA256
d5845fb6e5fb97ed020ef7affac7dbc381c53b12c8c223fd5f657795bd6bdea3

SHA512
2eb8b38c16d45234d66fb7171056d62a585396b7f6bcc2728c53b095b28a6fae80fbcd1b781ef7ad18bfae3783a7dd235e391cdc78dfd7924cc5e44d957d837a

Download Submit
\Users\Admin\AppData\Local\Temp\kdnrm.exe

Filesize
228KB

MD5
01413f955fba04a77046e285a07e47da

SHA1
212f2e29738be816c5d96fab2d2655edef619334

SHA256
3e5c8d0dd2be1d0408f66fa04105cb09dac7aaee574767b537d8916fffdc0b02

SHA512
410554a574546f3d974510a7220b67c51b3d73c7c7e11c84c3eb7966fb9ecba35f2634b70568d3c180f1da82dac69c80aaa5a648c6c28111c835232833bf0ec6

Download Submit
\Users\Admin\AppData\Local\Temp\kdnrm.exe

Filesize
228KB

MD5
01413f955fba04a77046e285a07e47da

SHA1
212f2e29738be816c5d96fab2d2655edef619334

SHA256
3e5c8d0dd2be1d0408f66fa04105cb09dac7aaee574767b537d8916fffdc0b02

SHA512
410554a574546f3d974510a7220b67c51b3d73c7c7e11c84c3eb7966fb9ecba35f2634b70568d3c180f1da82dac69c80aaa5a648c6c28111c835232833bf0ec6

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
275KB

MD5
a8dcae0690c61f8517b877b5191fc388

SHA1
c5916585a6c57343a13f70e17d9ce9161aa1eb33

SHA256
d5845fb6e5fb97ed020ef7affac7dbc381c53b12c8c223fd5f657795bd6bdea3

SHA512
2eb8b38c16d45234d66fb7171056d62a585396b7f6bcc2728c53b095b28a6fae80fbcd1b781ef7ad18bfae3783a7dd235e391cdc78dfd7924cc5e44d957d837a

Download Submit
memory/2608-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2608-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2608-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2608-37-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2648-21-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2944-0-0x000000002F8E1000-0x000000002F8E2000-memory.dmp

Filesize
4KB

Download
memory/2944-2-0x000000007164D000-0x0000000071658000-memory.dmp

Filesize
44KB

Download
memory/2944-36-0x000000007164D000-0x0000000071658000-memory.dmp

Filesize
44KB

Download
memory/2944-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-57-0x000000007164D000-0x0000000071658000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads