a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520

General

Target

recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.rtf
Size

82KB
MD5

0a9c028203a8416be8db7371550d0fb5
SHA1

2f576cdfbf4f60918676f6583265c504bdeefa21
SHA256

a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520
SHA512

51d92688abee365f550552c565ebc422000c6cdf6a0e58528922bde4323906cd85d3dcf7d29fb52adf9cdc4c59e3310704a25657b5a9683ed041087f7db01b69
SSDEEP

384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2564	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2864	winiti.exe
2752	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	EQNEDT32.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 2752	2864	winiti.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2564	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2364	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2364	WINWORD.EXE
2364	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2864	2564	EQNEDT32.EXE	30
PID 2564 wrote to memory of 2864	2564	EQNEDT32.EXE	30
PID 2564 wrote to memory of 2864	2564	EQNEDT32.EXE	30
PID 2564 wrote to memory of 2864	2564	EQNEDT32.EXE	30
PID 2364 wrote to memory of 2796	2364	WINWORD.EXE	32
PID 2364 wrote to memory of 2796	2364	WINWORD.EXE	32
PID 2364 wrote to memory of 2796	2364	WINWORD.EXE	32
PID 2364 wrote to memory of 2796	2364	WINWORD.EXE	32
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33
PID 2864 wrote to memory of 2752	2864	winiti.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\recreatednewthingswithentrienewprocesswhichwedidwithouthavingsuchagereatthigstodoever_______greatthingstohappened.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2796

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Roaming\winiti.exe
  "C:\Users\Admin\AppData\Roaming\winiti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Roaming\winiti.exe
    "C:\Users\Admin\AppData\Roaming\winiti.exe"
    3⤵
    - Executes dropped EXE
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
929KB

MD5
1f5c95d40c06c01300f0a6592945a72d

SHA1
79a217ed19833efcf640ffd8bb04803e9f30d6f4

SHA256
434ec59b680788bae7f2935200a77e681cecbb517d853c6e6cf31f4cf112e5cc

SHA512
3cd70090e071e43b22a3638d8cdf13874c5da34aff2cb314e170feda59d630594314f45708797d83a47ed645a7f07755ac10f4a438858e6673ce560fe5f57975

Download Submit
memory/2364-0-0x000000002F321000-0x000000002F322000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2364-2-0x0000000072F4D000-0x0000000072F58000-memory.dmp

Filesize
44KB

Download
memory/2364-26-0x0000000072F4D000-0x0000000072F58000-memory.dmp

Filesize
44KB

Download
memory/2752-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-21-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2864-17-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/2864-18-0x0000000004C70000-0x0000000004CFE000-memory.dmp

Filesize
568KB

Download
memory/2864-16-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/2864-15-0x0000000000E30000-0x0000000000F1E000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing