crimsonrat | dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676

General

Target

dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc
Size

790KB
MD5

c7a3276763a5c1b13f93028aab5a6e73
SHA1

c2844b69a36b3be37f8db97b0afc051f6bf36671
SHA256

dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676
SHA512

2ef8d3eb3f1368591666d9f85dddb210c05fe16569f3553086f42d7b82133669c5a9e7fe1263407bb54bb9f75216ef9fcb78348427e334ef74afd6e3f429c01a
SSDEEP

3072:PkWc08tG41FHiopEomJ9/GuloC5pUAn0YoKpbqZSvYYzU6lXHaym97m/EE3fzLvd:PkA

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

C2

151.106.14.125

211.210.122.154

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Dlymrdsa\ravidhtirad.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

ravidhtirad.exe

pid process

2596 ravidhtirad.exe
Loads dropped DLL 1 IoCs

Processes:

WINWORD.EXE

pid process

1328 WINWORD.EXE

pid	process
2596	ravidhtirad.exe

pid	process
1328	WINWORD.EXE

Drops file in Program Files directory 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File created	C:\PROGRA~3\Dlymrdsa\ravidhtirad.exe	WINWORD.EXE
File opened for modification	C:\PROGRA~3\Dlymrdsa\ravidhtirad.exe	WINWORD.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{09B91BCF-E66F-4F20-A899-E21EB6E5D54D}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09B91BCF-E66F-4F20-A899-E21EB6E5D54D}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1328 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

1328 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1328 WINWORD.EXE
1328 WINWORD.EXE

pid	process
1328	WINWORD.EXE

pid	process
1328	WINWORD.EXE

pid	process
1328	WINWORD.EXE
1328	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1328 wrote to memory of 2596	1328	WINWORD.EXE	ravidhtirad.exe
PID 1328 wrote to memory of 2596	1328	WINWORD.EXE	ravidhtirad.exe
PID 1328 wrote to memory of 2596	1328	WINWORD.EXE	ravidhtirad.exe
PID 1328 wrote to memory of 2596	1328	WINWORD.EXE	ravidhtirad.exe
PID 1328 wrote to memory of 1308	1328	WINWORD.EXE	splwow64.exe
PID 1328 wrote to memory of 1308	1328	WINWORD.EXE	splwow64.exe
PID 1328 wrote to memory of 1308	1328	WINWORD.EXE	splwow64.exe
PID 1328 wrote to memory of 1308	1328	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\ProgramData\Dlymrdsa\ravidhtirad.exe
  C:\ProgramData\Dlymrdsa\ravidhtirad.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Dlymrdsa\RAVIDH~1.ZIP

Filesize
100KB

MD5
e8d43c7169b8a59d9b030bab911f0aea

SHA1
3cdd51c588f2c86ac547160f8b6674a3342a35d3

SHA256
b741ac11113febcd1213675b51e55ffd2dda70099a01aede3c82b57e833840ba

SHA512
4bcf0805f539766da8a0a592f5b4d577fd9a5ef45f32256afe958c36c78ebd0c41649d347e61f3a53db07322808f03a84fda4c8be5b2e58ae567f4eddfafbc26

Download Submit
C:\ProgramData\Dlymrdsa\ravidhtirad.exe

Filesize
9.2MB

MD5
938770e6e69e6feadb1b9f63af9969f4

SHA1
4a4f4aac7bd4212762bb26b1bda882d44c7956a8

SHA256
bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8

SHA512
383d8381409fdcfaf9632473c3a40f20d887326f452823ca754780c8bbd1879c42dd0d3574dc833a2f98f6e5adfe5c31786654a7252e4ad39770d164feb957dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
302fd76bc39e2d45eff1df5b32b4665d

SHA1
5335342a39af3bfcbd796ec6be30b5b0bcc55d59

SHA256
179dec0c3a11ce3501f469c9c0865ac4afd98a100976320d40f4208f3297b2b2

SHA512
1ed69112a13c8196c07e7652595603c503574fd6a3c9d77dac06db9798f6064e785a3bcdf323b96d0888eff32b01907b1d80ef50da268ce836f79968af11bce9

Download Submit
memory/1328-49-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-85-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/1328-8-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-12-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-22-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-6-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-29-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1328-2-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/1328-86-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-67-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1328-0-0x000000002F911000-0x000000002F912000-memory.dmp

Filesize
4KB

Download
memory/1328-52-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-7-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-55-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/1328-60-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-61-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-62-0x00000000055D0000-0x00000000056D0000-memory.dmp

Filesize
1024KB

Download
memory/1328-63-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/1328-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2596-53-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2596-66-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2596-68-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2596-65-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-48-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-47-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2596-46-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads