Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
New Order 3118.rtf
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
New Order 3118.rtf
Resource
win10v2004-20240319-en
General
-
Target
New Order 3118.rtf
-
Size
3KB
-
MD5
99a565b1df705062e82bd4d7587c2959
-
SHA1
1817b3ef54cf96f71bbb581ef21c37c820c125f0
-
SHA256
e8fac55896700a6e6505cc1b8d4f98570358c0a1275564d587845cfb5ec47068
-
SHA512
6893bb6540e7c92cb2d39dae83dd7e16a5ed0cc8bc468e13d65dc1a4e5b909bc9a249b306323167a986ee199b6ff6a9d444b673028e4b92aeb9b0b62607ed15c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gosportz.in - Port:
587 - Username:
[email protected] - Password:
Ss@gosportz - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 4 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2444 EQNEDT32.EXE 5 2444 EQNEDT32.EXE 8 2444 EQNEDT32.EXE 10 2444 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
word.exepid process 2488 word.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 2444 EQNEDT32.EXE 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
word.exedescription pid process target process PID 2488 set thread context of 2328 2488 word.exe regsvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1844 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
word.exeregsvcs.exepid process 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2488 word.exe 2328 regsvcs.exe 2328 regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
word.exeregsvcs.exedescription pid process Token: SeDebugPrivilege 2488 word.exe Token: SeDebugPrivilege 2328 regsvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEregsvcs.exepid process 1844 WINWORD.EXE 1844 WINWORD.EXE 2328 regsvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEword.exedescription pid process target process PID 2444 wrote to memory of 2488 2444 EQNEDT32.EXE word.exe PID 2444 wrote to memory of 2488 2444 EQNEDT32.EXE word.exe PID 2444 wrote to memory of 2488 2444 EQNEDT32.EXE word.exe PID 2444 wrote to memory of 2488 2444 EQNEDT32.EXE word.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 2328 2488 word.exe regsvcs.exe PID 2488 wrote to memory of 1984 2488 word.exe WerFault.exe PID 2488 wrote to memory of 1984 2488 word.exe WerFault.exe PID 2488 wrote to memory of 1984 2488 word.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order 3118.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2488 -s 7363⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\word.exeFilesize
703KB
MD565a47399be896d919d389ef7ff10d2d3
SHA12b7b23c447ac4a0d5cf8ee7854c4de4d7d9fbff5
SHA256362817c5d64cbceace5cb56167e75587b9c81b39f34a8bb86d842fa87cdbacf1
SHA51218a4b3a3236f5d7f69bcea6c13605fab1e4d9879a6b9f13b684203087f030c69904284f5eff031cd7864a449fe65d7355659e88eaa978c44bdf3e65655a4ff97
-
\Users\Admin\AppData\Roaming\word.exeFilesize
270KB
MD5c517141c53fef87b783709b53b5af6e1
SHA10d5d72e962d228880d76dc73a14b3a51afe32c94
SHA2561a669065aa1a654d75c0f67e500ddedf583416822f320b2e990cd42068d82d48
SHA512e1a3e24dcd7d25a69ecb789879f1f68e3edb6c325f814ff0c8ecb8840b367a48de054a7111d97d6b02a8f31c15819f1ea482f76b49cb2ebb9309587838b262db
-
\Users\Admin\AppData\Roaming\word.exeFilesize
265KB
MD50e2520f305ca358f391094b000c48f94
SHA1cf881c59b586daaa36358572491d973c442478e9
SHA2566f0920ee060770e906cb8d60dc9a9885339f71ceb3b8a0cdc88a8fb74a015afb
SHA512d2441f2e50b8bdcbf7c5bea62ad3a71bf02844ced76dba87942672cbe4ab4d3dcde7cdc8f30ae3c863ad1934543f7b35fadb20fd7b5ea84120b6ffd9d3072be2
-
\Users\Admin\AppData\Roaming\word.exeFilesize
210KB
MD58a2a1d5ec1ef76d8308155e55fd6d912
SHA124e4d4b1fd2d0e8c2ee3db8e5196f62325585723
SHA25622070d72b253d60ceaea07706b887705e14998005063f8c3392a9125ab8affc4
SHA5121f89da2861a950601ad7f37c038cfe8ed4ce7e524ad4f232be43218f5d0d9af27340a7e66199111df38465db6e436be41f638e7da2a0936551c0dc4d368bfb76
-
\Users\Admin\AppData\Roaming\word.exeFilesize
258KB
MD5d0ff90703574364c5c8df29cee862b19
SHA12e0bcaf78e39cec8f5611cd13d8d8ca441723581
SHA256bb0bab7b2d4962334deeb16aad86b94388a0e320da843a81a0a528b1958872d0
SHA5127c7f6758be6776ad8cabc0d28fa135f2470ece4f47aebb908fe201129813ddeca478878d079ee296e618abd8b02663cc0b552345f47c02af5186706015d2ae7a
-
\Users\Admin\AppData\Roaming\word.exeFilesize
269KB
MD55655af8ef5eeb7c051262e31c2dee9b6
SHA1880a54f66939a3ee86848303cb69b4083ac66f9e
SHA256365f62a80445b361f1841645a03944e0218361dbc018b11039e159a35ba510ea
SHA51275be148f7ede696b68c8d7d5ad4af90b9e71ca4b3e890be06f1f1e473a2fc046725321e31490e5d5d50cb2d243be47664d06be3e46df526519c7327416dc0a7d
-
memory/1844-0-0x000000002FB91000-0x000000002FB92000-memory.dmpFilesize
4KB
-
memory/1844-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1844-2-0x00000000713ED000-0x00000000713F8000-memory.dmpFilesize
44KB
-
memory/1844-56-0x00000000713ED000-0x00000000713F8000-memory.dmpFilesize
44KB
-
memory/2328-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2328-55-0x000000006ADB0000-0x000000006B49E000-memory.dmpFilesize
6.9MB
-
memory/2328-40-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-38-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-47-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-49-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-42-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-43-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-60-0x0000000004B50000-0x0000000004B90000-memory.dmpFilesize
256KB
-
memory/2328-45-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2328-59-0x000000006ADB0000-0x000000006B49E000-memory.dmpFilesize
6.9MB
-
memory/2488-31-0x000000001ACE0000-0x000000001AD60000-memory.dmpFilesize
512KB
-
memory/2488-29-0x0000000001060000-0x0000000001080000-memory.dmpFilesize
128KB
-
memory/2488-57-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmpFilesize
9.9MB
-
memory/2488-58-0x000000001ACE0000-0x000000001AD60000-memory.dmpFilesize
512KB
-
memory/2488-30-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmpFilesize
9.9MB
-
memory/2488-37-0x0000000000D30000-0x0000000000DC6000-memory.dmpFilesize
600KB