betabot | 70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69db660126843cc9ca7092394735c351_JaffaCakes118.rtf
Size

756KB
MD5

69db660126843cc9ca7092394735c351
SHA1

37d4cceb2766ca0ef6d747d5188b96475892c277
SHA256

70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43
SHA512

86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8
SSDEEP

12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2088	2888	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2832	2888	cmd.exe	WINWORD.EXE

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\91y7kciaqk9ise.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\91y7kciaqk9ise.exe\DisableExceptionChainValidation	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "cqyrbuas.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Drops startup file 2 IoCs

Processes:

exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	exe.exe

Executes dropped EXE 2 IoCs

Processes:

exe.exeapp.exe

pid process

2012 exe.exe
2372 app.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2700 cmd.exe

pid	process
2012	exe.exe
2372	app.exe

pid	process
2700	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

app.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe -boot"	app.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

svchost.exeexplorer.exe

pid	process
1048	svchost.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 2372 set thread context of 1048 2372 app.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 2372 set thread context of 1048	2372	app.exe	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2104 timeout.exe

pid	process
2104	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2936 taskkill.exe
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid process

2748 EQNEDT32.EXE
2732 EQNEDT32.EXE

pid	process
2936	taskkill.exe

pid	process
2748	EQNEDT32.EXE
2732	EQNEDT32.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2888 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

explorer.exe

pid process

2064 explorer.exe
2064 explorer.exe
2064 explorer.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

svchost.exeexplorer.exe

pid process

1048 svchost.exe
1048 svchost.exe
2064 explorer.exe
2064 explorer.exe
2064 explorer.exe
2064 explorer.exe
2064 explorer.exe

pid	process
2888	WINWORD.EXE

pid	process
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

taskkill.exeexe.exeapp.exesvchost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2012	exe.exe
Token: SeDebugPrivilege	2372	app.exe
Token: SeDebugPrivilege	1048	svchost.exe
Token: SeRestorePrivilege	1048	svchost.exe
Token: SeBackupPrivilege	1048	svchost.exe
Token: SeLoadDriverPrivilege	1048	svchost.exe
Token: SeCreatePagefilePrivilege	1048	svchost.exe
Token: SeShutdownPrivilege	1048	svchost.exe
Token: SeTakeOwnershipPrivilege	1048	svchost.exe
Token: SeChangeNotifyPrivilege	1048	svchost.exe
Token: SeCreateTokenPrivilege	1048	svchost.exe
Token: SeMachineAccountPrivilege	1048	svchost.exe
Token: SeSecurityPrivilege	1048	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1048	svchost.exe
Token: SeCreateGlobalPrivilege	1048	svchost.exe
Token: 33	1048	svchost.exe
Token: SeDebugPrivilege	2064	explorer.exe
Token: SeRestorePrivilege	2064	explorer.exe
Token: SeBackupPrivilege	2064	explorer.exe
Token: SeLoadDriverPrivilege	2064	explorer.exe
Token: SeCreatePagefilePrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeTakeOwnershipPrivilege	2064	explorer.exe
Token: SeChangeNotifyPrivilege	2064	explorer.exe
Token: SeCreateTokenPrivilege	2064	explorer.exe
Token: SeMachineAccountPrivilege	2064	explorer.exe
Token: SeSecurityPrivilege	2064	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2064	explorer.exe
Token: SeCreateGlobalPrivilege	2064	explorer.exe
Token: 33	2064	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

2888 WINWORD.EXE
2888 WINWORD.EXE
2888 WINWORD.EXE

pid	process
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.exeEQNEDT32.EXE

description	pid	process	target process
PID 2888 wrote to memory of 2088	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2088	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2088	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2088	2888	WINWORD.EXE	cmd.exe
PID 2088 wrote to memory of 2700	2088	cmd.exe	cmd.exe
PID 2088 wrote to memory of 2700	2088	cmd.exe	cmd.exe
PID 2088 wrote to memory of 2700	2088	cmd.exe	cmd.exe
PID 2088 wrote to memory of 2700	2088	cmd.exe	cmd.exe
PID 2700 wrote to memory of 2104	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2104	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2104	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2104	2700	cmd.exe	timeout.exe
PID 2888 wrote to memory of 2832	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2832	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2832	2888	WINWORD.EXE	cmd.exe
PID 2888 wrote to memory of 2832	2888	WINWORD.EXE	cmd.exe
PID 2732 wrote to memory of 2496	2732	EQNEDT32.EXE	CmD.exe
PID 2732 wrote to memory of 2496	2732	EQNEDT32.EXE	CmD.exe
PID 2732 wrote to memory of 2496	2732	EQNEDT32.EXE	CmD.exe
PID 2732 wrote to memory of 2496	2732	EQNEDT32.EXE	CmD.exe
PID 2700 wrote to memory of 2012	2700	cmd.exe	exe.exe
PID 2700 wrote to memory of 2012	2700	cmd.exe	exe.exe
PID 2700 wrote to memory of 2012	2700	cmd.exe	exe.exe
PID 2700 wrote to memory of 2012	2700	cmd.exe	exe.exe
PID 2700 wrote to memory of 2936	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 2936	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 2936	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 2936	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 1816	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1816	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1816	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1816	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1068	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1068	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1068	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1068	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1084	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1084	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1084	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1084	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2420	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2420	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2420	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2420	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 928	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 928	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 928	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 928	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2536	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2536	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2536	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 2536	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1168	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1168	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1168	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1168	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 1980	2700	cmd.exe	cmd.exe
PID 2700 wrote to memory of 1980	2700	cmd.exe	cmd.exe
PID 2700 wrote to memory of 1980	2700	cmd.exe	cmd.exe
PID 2700 wrote to memory of 1980	2700	cmd.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69db660126843cc9ca7092394735c351_JaffaCakes118.rtf"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
        6⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im WiNwOrD.ExE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        
        PID:928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1980
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1136
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2544
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2784
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2660
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1044
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
    3⤵
    - Process spawned unexpected child process
    PID:2832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11622268881751923053901378205-2100200047-1650525846-6502739131103300851313841143"
1⤵
PID:2584

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %tmp%\task.bat & UUUUUUUUc
  2⤵
  PID:2496

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1912
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Sets file execution options in registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies firewall policy service
      Sets file execution options in registry
      Checks BIOS information in registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Enumerates system info in registry
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
a079014f23f6f2f169e7edfa090538eb

SHA1
20c83c3dbd3ffd2a78c1c8453a800c625698ebda

SHA256
e815df3fb218435c48a6059cd8fe5fe20e9443550f4334c623befe19d6c1a1b8

SHA512
2dff1f799491b364077c592fbe063b2b78c008f459d3769a96dcac046e10086ac0215d8a574201fad316d1397f0a86a52218c381042de612b4c1281942246ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoy.doc

Filesize
31KB

MD5
df778726a0f7ffeaa9fc16826f77a946

SHA1
3b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c

SHA256
a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da

SHA512
5d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
423B

MD5
1b5a8273e16e717136f7fed172da847a

SHA1
352f0ec7fefdbf3211ffef8aed13a60bb60e6135

SHA256
113e8ad48f1bb20df1c8e6ddeddfb527aedbf85d18b58fcdd146ba544885de34

SHA512
9842bf7e53e7c02ab50182c7dc0b500c977586c5ec39cddb2869bebb40f9332b604befb4b13bcf6f5edc681d0c205bc7639743687af08efbe1e34770d7abe509

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
147B

MD5
669f7ab1ba185d4123d391dc22bffe26

SHA1
cd8742755f0271723d7b8c3265e192e3e0927c39

SHA256
ecbb35d9ee34e1519e8a437636e173f9628787903c4916f8e107d1070902f34a

SHA512
93d339ee40417c768e710f1adf8ed8b593d6345b57a317f5aa73c22566df1b35977a6fe0f35335cfa29102a87ac41ce90fdd9f82dcdcb97831c660af84f8ba1e

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
283KB

MD5
ad9e9876d0a5cf8e7ca7de82de1ed01b

SHA1
c316e6a88e6bbf63dbb63fee0a0fc5a5795dcfc3

SHA256
c99f64fbc553b946613296764c74c0a62ff36ce3d97c534464fb412aea3f6b8c

SHA512
431a78eea327114f53231bfb9a2af44414bc3adc96035c6e5be4c21368952e453d69e613da9798f4488b21bff1ad3b19c534d0cf05b420112d4d223db8a0ce3e

Download Submit
memory/1048-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-57-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1048-48-0x0000000000380000-0x00000000003E6000-memory.dmp

Filesize
408KB

Download
memory/1048-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-59-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-55-0x00000000000D0000-0x000000000013A000-memory.dmp

Filesize
424KB

Download
memory/2064-67-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-50-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-51-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-52-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-54-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-63-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-53-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-66-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-58-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-65-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-61-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-64-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2064-60-0x0000000077B00000-0x0000000077C81000-memory.dmp

Filesize
1.5MB

Download
memory/2700-62-0x0000000000170000-0x00000000001DA000-memory.dmp

Filesize
424KB

Download
memory/2888-39-0x00000000716FD000-0x0000000071708000-memory.dmp

Filesize
44KB

Download
memory/2888-0-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2888-2-0x00000000716FD000-0x0000000071708000-memory.dmp

Filesize
44KB

Download