redline | 927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.docx
Size

16KB
MD5

9edc82805ecc2d30f07d99973883c3c6
SHA1

877fae637a454593a1b66bfede20356803833266
SHA256

927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2
SHA512

b24ed91e3f53fe2cfc0b0fdaebcd495cbc878507187a802ed019736be707d5d832f149360dba0cfd394df5e0406bd979fda5aff4357fe4e2bede514098fc8cf3
SSDEEP

384:tyXxo8qWds8PL8wi4OEwH8TIbE91r2fR3JYovij7XCnp:tcxIq5P3DOqnYJZ1vO7XCp

Score

10^/10

redline sectoprat wordfile infostealer rat spyware trojan upx

Malware Config

Extracted

Family

redline

Botnet

wordfile

185.38.142.10:7474

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-138-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/308-140-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/308-139-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-138-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/308-140-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/308-139-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-138-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/308-140-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/308-139-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\notorious53209.exe	UPX
behavioral1/memory/3020-106-0x0000000000150000-0x00000000002B7000-memory.dmp	UPX
behavioral1/memory/3020-142-0x0000000000150000-0x00000000002B7000-memory.dmp	UPX

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

10 2008 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

notorious53209.exe

pid process

3020 notorious53209.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2008 EQNEDT32.EXE

flow	pid	process
10	2008	EQNEDT32.EXE

pid	process
3020	notorious53209.exe

pid	process
2008	EQNEDT32.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\notorious53209.exe	upx
behavioral1/memory/3020-106-0x0000000000150000-0x00000000002B7000-memory.dmp	upx
behavioral1/memory/3020-142-0x0000000000150000-0x00000000002B7000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3020-106-0x0000000000150000-0x00000000002B7000-memory.dmp	autoit_exe
behavioral1/memory/3020-142-0x0000000000150000-0x00000000002B7000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

notorious53209.exe

description pid process target process

PID 3020 set thread context of 308 3020 notorious53209.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2008 EQNEDT32.EXE

description	pid	process	target process
PID 3020 set thread context of 308	3020	notorious53209.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2008	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2244 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

308 RegSvcs.exe
308 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notorious53209.exe

pid process

3020 notorious53209.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 308 RegSvcs.exe
Token: SeShutdownPrivilege 2244 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

notorious53209.exe

pid process

3020 notorious53209.exe
3020 notorious53209.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

notorious53209.exe

pid process

3020 notorious53209.exe
3020 notorious53209.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2244 WINWORD.EXE
2244 WINWORD.EXE

pid	process
2244	WINWORD.EXE

pid	process
308	RegSvcs.exe
308	RegSvcs.exe

pid	process
3020	notorious53209.exe

description	pid	process
Token: SeDebugPrivilege	308	RegSvcs.exe
Token: SeShutdownPrivilege	2244	WINWORD.EXE

pid	process
3020	notorious53209.exe
3020	notorious53209.exe

pid	process
3020	notorious53209.exe
3020	notorious53209.exe

pid	process
2244	WINWORD.EXE
2244	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EQNEDT32.EXEnotorious53209.exeWINWORD.EXE

description	pid	process	target process
PID 2008 wrote to memory of 3020	2008	EQNEDT32.EXE	notorious53209.exe
PID 2008 wrote to memory of 3020	2008	EQNEDT32.EXE	notorious53209.exe
PID 2008 wrote to memory of 3020	2008	EQNEDT32.EXE	notorious53209.exe
PID 2008 wrote to memory of 3020	2008	EQNEDT32.EXE	notorious53209.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 3020 wrote to memory of 308	3020	notorious53209.exe	RegSvcs.exe
PID 2244 wrote to memory of 1164	2244	WINWORD.EXE	splwow64.exe
PID 2244 wrote to memory of 1164	2244	WINWORD.EXE	splwow64.exe
PID 2244 wrote to memory of 1164	2244	WINWORD.EXE	splwow64.exe
PID 2244 wrote to memory of 1164	2244	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1164

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\notorious53209.exe
"C:\Users\Admin\AppData\Roaming\notorious53209.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Roaming\notorious53209.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81afc0bf5da0665d25a5dee7e2753370

SHA1
0c3be1f39d24b0244b10a55c1206a33e8f53212f

SHA256
5fccf1d8723d62ad01b16c8e53c63c38ebe68f68ec2e2218e2f0c697b9fa4f77

SHA512
81cc789f7a25a488524fbaaf46f930f03de79734d7c0497ee1ec800e5fd1f90e8e7124c55c6b8ba9d9defca243dfd6cfc237d969064cd44107bf738cdd585c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
041dc7229b3a9bc324894cef3c963c33

SHA1
773cf821d2ab208534124f69009333d35be0a979

SHA256
5b75c3daadff9eeb8801c2e8c01cef4fbb3ed0b2d7ff43b45f0bd53ad59f3cbe

SHA512
25b2eb5742fd3356fe379df03f2fbb93ddee5a1b326de6e141e563b4ab724b11ecd1e566a8d03e184bbeae682445a8c060b17c57e6f2f4549390f6095bbbd65f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
682cf45049921d559c234e0ef708ef88

SHA1
7a4101f105b0cab54c472c32cf9f02e9aaee9a1d

SHA256
8f610f6ebd4636b6497a9473e6593f1d9b8479d27b6e621b257b48ba0217fd85

SHA512
5fee65ee8f6c5de152af0b9a0c1f3304e733901738cd4cd198898dc5258a22f9e4ccd6927681b676f96edc464e42c17848531f5fba1851a6b18bb7397ed216c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8c3652cd12d3439df6bebef1797cfbe

SHA1
8bde8c7aa71d87da6decc429e8d34477a63b5e71

SHA256
468e4c7763d6c2ae2a46ad7170dd91ca424f608a3c3ee669b089cd8e011da35e

SHA512
477f18524cf7c2333a6bfc60de9393c7d827d6bc390c37e86b5c4fb55f665437950513f2f105c9bf91eb8b9da6fbe416aa0c6a42e6bc96b1ba13c490263cbdac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
908124ac0ffefa1f75e2d86f99c755dd

SHA1
782338734a83e8c71cd8b22e4317430f387c73f0

SHA256
bddd92bada0d5d9ea3d7515acf770748d706adf977bc26c1a569471f7e781047

SHA512
caa78c06e3aca80bb40847253d89c3a9cc235d07f8835d8c70394096f612c9714bcb2913971055c4bad4dc2263ba40d9d1085850a2af5756d7886b6fd5683f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2230E725-015F-4CF1-BB67-D89710D67731}.FSD

Filesize
128KB

MD5
bb363634ee7b4e17fd5f51ac001f417e

SHA1
debfff33c65f337c8800be59cbd401f50eb34a1b

SHA256
d7bdcd4a2eebd12f2006da5a54b0cd5bfb718a3222c95cab6fb976434664a84f

SHA512
220b38d31a78603b67bb3dc869e70c6f3b23d52da33c35de6c24fd12b7caed7e8166c4b91ca278a75c97f0159d265d33a5dfde7220e8fe6d5d848387edfd6491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
d54ff7030eb976475aeecf99952aa51b

SHA1
a327c1ecbdcc66cf3465960d5c48111d8d2ff03c

SHA256
f62d9eb7158b67bca810a6b84ca71296fd4563859a7da17fdb0b019f90ca4def

SHA512
d3d8a1a17527cb6fe382a00d19d6003d79cded6e429dcf4ea082d72f785f9a97afb560ae015553e5a8556060715c4b1513441587586fc718ddcfdd437be9cb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
4c6f43bb1a971b34ff77ddde16bbd0a2

SHA1
3bd5473e72abbf36e239af3c8c3f7789eda65568

SHA256
1b9f8427264ce9d175e9fbe988466dfb9357b8b40b7957cea3802481f0549c9c

SHA512
fdd2775838cdd215ef5dc5057a3fba9402c3330e48a6711f92bcda66679bb39c54f97dafe1f605cd5a398b8f4283764a00c89caa20963ab8629f645e62f2f79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\notorious[1].doc

Filesize
604KB

MD5
2d1b096a33d1b673fd06db9f3e861761

SHA1
3c0a1d1bd1b54381df8769ecc173e8635fea366e

SHA256
bf89362748b9e66c11aaa49ddf83b1665fe038d04225b36de4f26cffc11a0f3d

SHA512
32156517472c8c4a6998e58bb90e0a684516a11c403d87524a8561f647901cdb9413dd71b55df4de52c88e5e522e06ee9565fc6dc653ec8f49ba5c58a3d5034e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBCCA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE245.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE843.tmp

Filesize
92KB

MD5
9da83032394b54144d4c2a3ae7cdfbce

SHA1
b85d3a0ff5006c2c1d7270500d7849d373f597b7

SHA256
90708648aa3da58b81497a0bc395507906d89d39583d6ad8dcb4e0d417bdc084

SHA512
17cb5c7cf40433e75a6240c2eaffd22bd77f5076c1904041670dd8609769e9c970499f85fc18354782c548fc0739df954dc44a9e1ff40d427a5b4f0d278417f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0919BE7E-F626-43B8-867B-AB21A66A0167}

Filesize
128KB

MD5
77f3435a5a0d52ccf0e76f70a1923eab

SHA1
4500ab65bc7f3bd1ed467c77c871f7e635d7a4eb

SHA256
9d810b7ef8e3a4842d9fe56bd1fae205ecd32bc6db736477de4f16e2745b219a

SHA512
54ce73dbc6b7ef9c0b501bcf86c7577d0b574263fa7a4f341acf15c6e97306aadc27e39f7790ea2085ec066a0e4ee405d9cdf88c35a49d7609c72564776c2711

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
94c5cce8596e49314355d8177f0cfb72

SHA1
36460bb610c45d5702abc18f8bc17206e4a890ec

SHA256
57f9ee5b9bd35fc80af6dd48a75f88ab3385d370a4ab7a518f50fb0b84cd4165

SHA512
a5259959d1694eac53d1ad489aa0d1e0d08fd48fffbbee052ce2b60fa60a64f2d0442ba1639f136e11e904cf6fcd1d85017f937f372571a30090587e29f7b4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\notorious53209.exe

Filesize
629KB

MD5
901a623dbccaa22525373cd36195ee14

SHA1
9adb6dddb68cd7e116da9392e7ee63a8fa394495

SHA256
b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec

SHA512
eabeba0eb9ae7e39577a7e313e50807cee1b888f1c8ff0fa375e5de9451a66471c791c23ea4f4af85151f96b065d55e8c1320026d8503a048a3e5968f8effc1d

Download Submit
memory/308-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/308-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/308-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2244-0-0x000000002F801000-0x000000002F802000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2244-274-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2244-2-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2244-316-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2244-317-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/3020-142-0x0000000000150000-0x00000000002B7000-memory.dmp

Filesize
1.4MB

Download
memory/3020-106-0x0000000000150000-0x00000000002B7000-memory.dmp

Filesize
1.4MB

Download