darktrack | 58fb41c622cfccae8febc06e0c04f25bdb613a5b260ae6f404e9d0eda5ea86ab

Resubmissions

15-05-2024 11:58

240515-n495nagc6y 10

15-05-2024 11:54

240515-n3d1tsgd33 4

15-05-2024 09:22

240515-lb8p1sba32 10

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4423890.rar
Size

11.2MB
MD5

ff7553a8d62ba75491119628aa7ede6e
SHA1

105b16f65c61570fd9c6ff2077597ba626026cda
SHA256

58fb41c622cfccae8febc06e0c04f25bdb613a5b260ae6f404e9d0eda5ea86ab
SHA512

ee01b5273fa7fb49eb8f55b995174bb869ebe77854427c4691e8980f5c2b49eef66a9e3fc8ecb6dd2388f390423318653b3573d1002af3124c70a42ed5815c22
SSDEEP

196608:f9VizBum/MJuS5PuZBv5z7/AGUnfbhI7epRSv6EjBGu0wcDGIuPJGopuS5R:X4BF/GuS5PuZLQGOfeavSNjgu0tiI1o/

Score

10^/10

darktrack evasion persistence rat stealer themida trojan upx

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2124-73-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2124-72-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2124-74-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/2124-75-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rupedoras.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rupedoras.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rupedoras.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rupedoras.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rupedoras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rupedoras.exe

Executes dropped EXE 2 IoCs

Processes:

Predstavlenie № 6-51-2024 .docx.exerupedoras.exe

pid process

2356 Predstavlenie № 6-51-2024 .docx.exe
2348 rupedoras.exe
Loads dropped DLL 2 IoCs

Processes:

Predstavlenie № 6-51-2024 .docx.exe

pid process

2356 Predstavlenie № 6-51-2024 .docx.exe
2356 Predstavlenie № 6-51-2024 .docx.exe

pid	process
2356	Predstavlenie № 6-51-2024 .docx.exe
2348	rupedoras.exe

pid	process
2356	Predstavlenie № 6-51-2024 .docx.exe
2356	Predstavlenie № 6-51-2024 .docx.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rupedoras.exe	themida
behavioral1/memory/2348-52-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral1/memory/2348-53-0x0000000000400000-0x0000000001F60000-memory.dmp	themida
behavioral1/memory/2812-67-0x0000000140000000-0x00000001405E8000-memory.dmp	themida
behavioral1/memory/2348-78-0x0000000000400000-0x0000000001F60000-memory.dmp	themida

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2124-62-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-60-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-70-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-71-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-73-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-72-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-74-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2124-75-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Predstavlenie № 6-51-2024 .docx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\KWn3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rupedoras.exe"	Predstavlenie № 6-51-2024 .docx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rupedoras.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rupedoras.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rupedoras.exe

pid process

2348 rupedoras.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rupedoras.exe

description pid process target process

PID 2348 set thread context of 2124 2348 rupedoras.exe AddInProcess32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rupedoras.exe

description	pid	process	target process
PID 2348 set thread context of 2124	2348	rupedoras.exe	AddInProcess32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2488 WINWORD.EXE

pid	process
2488	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rupedoras.exetaskmgr.exe

pid	process
2348	rupedoras.exe
2348	rupedoras.exe
2348	rupedoras.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exetaskmgr.exeAddInProcess32.exe

pid process

2728 7zFM.exe
2812 taskmgr.exe
2124 AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exerupedoras.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	2728	7zFM.exe
Token: 35	2728	7zFM.exe
Token: SeSecurityPrivilege	2728	7zFM.exe
Token: SeDebugPrivilege	2348	rupedoras.exe
Token: SeDebugPrivilege	2812	taskmgr.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
2728	7zFM.exe
2728	7zFM.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

taskmgr.exe

pid	process
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe
2812	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2488 WINWORD.EXE
2488 WINWORD.EXE

pid	process
2488	WINWORD.EXE
2488	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exePredstavlenie № 6-51-2024 .docx.exeWINWORD.EXErupedoras.exe

description	pid	process	target process
PID 1732 wrote to memory of 2728	1732	cmd.exe	7zFM.exe
PID 1732 wrote to memory of 2728	1732	cmd.exe	7zFM.exe
PID 1732 wrote to memory of 2728	1732	cmd.exe	7zFM.exe
PID 2356 wrote to memory of 2488	2356	Predstavlenie № 6-51-2024 .docx.exe	WINWORD.EXE
PID 2356 wrote to memory of 2488	2356	Predstavlenie № 6-51-2024 .docx.exe	WINWORD.EXE
PID 2356 wrote to memory of 2488	2356	Predstavlenie № 6-51-2024 .docx.exe	WINWORD.EXE
PID 2356 wrote to memory of 2488	2356	Predstavlenie № 6-51-2024 .docx.exe	WINWORD.EXE
PID 2488 wrote to memory of 1368	2488	WINWORD.EXE	splwow64.exe
PID 2488 wrote to memory of 1368	2488	WINWORD.EXE	splwow64.exe
PID 2488 wrote to memory of 1368	2488	WINWORD.EXE	splwow64.exe
PID 2488 wrote to memory of 1368	2488	WINWORD.EXE	splwow64.exe
PID 2356 wrote to memory of 2348	2356	Predstavlenie № 6-51-2024 .docx.exe	rupedoras.exe
PID 2356 wrote to memory of 2348	2356	Predstavlenie № 6-51-2024 .docx.exe	rupedoras.exe
PID 2356 wrote to memory of 2348	2356	Predstavlenie № 6-51-2024 .docx.exe	rupedoras.exe
PID 2356 wrote to memory of 2348	2356	Predstavlenie № 6-51-2024 .docx.exe	rupedoras.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe
PID 2348 wrote to memory of 2124	2348	rupedoras.exe	AddInProcess32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4423890.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4423890.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2728

C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe
"C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapros.docx"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1368
- C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  C:\Users\Admin\AppData\Local\Temp\rupedoras.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rupedoras.exe

Filesize
11.2MB

MD5
d483c1a9718cf5d880b3cce5d6ff7423

SHA1
72be5e949dd6923a43e7eaab1811baea4bc4b644

SHA256
8df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd

SHA512
370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapros.docx

Filesize
11KB

MD5
9871272af8b06b484f0529c10350a910

SHA1
707979b027f371989fb71e36795b652a2d466592

SHA256
c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3

SHA512
5bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6158a5651dbc0fce3e27232e90226ed4

SHA1
9ab2bc42d552be5846ba751de94083119f483f71

SHA256
10167047239611ecefe7096f1507dc1a0e290072e3ca0f2ce1887e54a685d15b

SHA512
bf10ebf6985316d7b638389ae9c695f50c1151b9e8fa48561b0d3a6eab7ab2f69e8e76a9affad252d87af04e5970803a73c9aa85f21147c1ddf63d5a18dcedee

Download Submit
C:\Users\Admin\Desktop\Predstavlenie № 6-51-2024 .docx.exe

Filesize
11.3MB

MD5
45ae0c08a1fb98fe77e4cd127b79ef7d

SHA1
12c7847fc2567ee9e6c0010f5c311753c017fa48

SHA256
bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e

SHA512
21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd

Download Submit
memory/2124-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-73-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-75-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-53-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2348-56-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/2348-78-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2348-44-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2348-52-0x0000000000400000-0x0000000001F60000-memory.dmp

Filesize
27.4MB

Download
memory/2348-54-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/2348-57-0x0000000006150000-0x0000000006156000-memory.dmp

Filesize
24KB

Download
memory/2356-43-0x0000000003740000-0x00000000052A0000-memory.dmp

Filesize
27.4MB

Download
memory/2356-42-0x0000000003740000-0x00000000052A0000-memory.dmp

Filesize
27.4MB

Download
memory/2488-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2488-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2812-68-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-67-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download