njrat | 82104a89b676d095f16da49490abfd6267a0eea6617d619d25416aaf423125ce

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Requirements.scr
Size

441KB
MD5

d82b4741a531e77f34865a604f1de729
SHA1

44b7ae953c1c1c60388e7000f6a3060dddc840c0
SHA256

ca636454ca70c9c0a53cd597603cfae9138281d45b6c22015a59271be06d8885
SHA512

bc77a89ae2e9671761316f06ae405a4f325b6286066ecb3421619a17fb348bc0eeb485fa3cc653039fc542b7785d082400c2e67680f051f5ab074bee709754c5
SSDEEP

6144:snx1jC2vG03dvpMsFPDb1pijBfSKtAAFewda/RQMjhpeKqNFubV:edpVhDZwjBf3SA0wdwQMyKqix

Score

10^/10

njrat revengerat guest hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

awaisawan.zapto.org:5555

Mutex

3484533e95ad86b4adeee88c1907dded

Attributes

reg_key
3484533e95ad86b4adeee88c1907dded
splitter
|'|'|

Extracted

Family

revengerat

Botnet

Guest

awaisawan.zapto.org:333

Mutex

Random

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2848 netsh.exe

pid	process
2848	netsh.exe

Drops startup file 2 IoCs

Processes:

svchsot.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3484533e95ad86b4adeee88c1907dded.exe	svchsot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3484533e95ad86b4adeee88c1907dded.exe	svchsot.exe

Executes dropped EXE 4 IoCs

Processes:

nj.exerv.exesvchsot.exesvchsoot.exe

pid process

2052 nj.exe
2632 rv.exe
2268 svchsot.exe
1980 svchsoot.exe
Loads dropped DLL 4 IoCs

Processes:

Requirements.scrnj.exerv.exe

pid process

2156 Requirements.scr
2156 Requirements.scr
2052 nj.exe
2632 rv.exe

pid	process
2052	nj.exe
2632	rv.exe
2268	svchsot.exe
1980	svchsoot.exe

pid	process
2156	Requirements.scr
2156	Requirements.scr
2052	nj.exe
2632	rv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchsot.exesvchsoot.exerv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\3484533e95ad86b4adeee88c1907dded = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchsot.exe\" .."	svchsot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3484533e95ad86b4adeee88c1907dded = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchsot.exe\" .."	svchsot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\svchsoot.exe"	svchsoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rv.exe"	rv.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rv.exesvchsoot.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	rv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString	rv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchsoot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString	svchsoot.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2372 WINWORD.EXE

pid	process
2372	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

svchsot.exe

description	pid	process
Token: SeDebugPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe
Token: 33	2268	svchsot.exe
Token: SeIncBasePriorityPrivilege	2268	svchsot.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

2728 DllHost.exe
2728 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2372 WINWORD.EXE
2372 WINWORD.EXE

pid	process
2728	DllHost.exe
2728	DllHost.exe

pid	process
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Requirements.scrWINWORD.EXEnj.exerv.exesvchsot.exe

description	pid	process	target process
PID 2156 wrote to memory of 2052	2156	Requirements.scr	nj.exe
PID 2156 wrote to memory of 2052	2156	Requirements.scr	nj.exe
PID 2156 wrote to memory of 2052	2156	Requirements.scr	nj.exe
PID 2156 wrote to memory of 2052	2156	Requirements.scr	nj.exe
PID 2156 wrote to memory of 2632	2156	Requirements.scr	rv.exe
PID 2156 wrote to memory of 2632	2156	Requirements.scr	rv.exe
PID 2156 wrote to memory of 2632	2156	Requirements.scr	rv.exe
PID 2156 wrote to memory of 2632	2156	Requirements.scr	rv.exe
PID 2156 wrote to memory of 2372	2156	Requirements.scr	WINWORD.EXE
PID 2156 wrote to memory of 2372	2156	Requirements.scr	WINWORD.EXE
PID 2156 wrote to memory of 2372	2156	Requirements.scr	WINWORD.EXE
PID 2156 wrote to memory of 2372	2156	Requirements.scr	WINWORD.EXE
PID 2372 wrote to memory of 1896	2372	WINWORD.EXE	splwow64.exe
PID 2372 wrote to memory of 1896	2372	WINWORD.EXE	splwow64.exe
PID 2372 wrote to memory of 1896	2372	WINWORD.EXE	splwow64.exe
PID 2372 wrote to memory of 1896	2372	WINWORD.EXE	splwow64.exe
PID 2052 wrote to memory of 2268	2052	nj.exe	svchsot.exe
PID 2052 wrote to memory of 2268	2052	nj.exe	svchsot.exe
PID 2052 wrote to memory of 2268	2052	nj.exe	svchsot.exe
PID 2052 wrote to memory of 2268	2052	nj.exe	svchsot.exe
PID 2632 wrote to memory of 1980	2632	rv.exe	svchsoot.exe
PID 2632 wrote to memory of 1980	2632	rv.exe	svchsoot.exe
PID 2632 wrote to memory of 1980	2632	rv.exe	svchsoot.exe
PID 2632 wrote to memory of 1980	2632	rv.exe	svchsoot.exe
PID 2268 wrote to memory of 2848	2268	svchsot.exe	netsh.exe
PID 2268 wrote to memory of 2848	2268	svchsot.exe	netsh.exe
PID 2268 wrote to memory of 2848	2268	svchsot.exe	netsh.exe
PID 2268 wrote to memory of 2848	2268	svchsot.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\nj.exe
"C:\Users\Admin\AppData\Local\Temp\nj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\svchsot.exe
"C:\Users\Admin\AppData\Local\Temp\svchsot.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchsot.exe" "svchsot.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2848

C:\Users\Admin\AppData\Local\Temp\rv.exe
"C:\Users\Admin\AppData\Local\Temp\rv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Roaming\svchsoot.exe
"C:\Users\Admin\AppData\Roaming\svchsoot.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
PID:1980

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Requirements.docx"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1896

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Requirements.docx
Filesize
13KB

MD5
0831b8fbfb0112a869197026cfc22d0d

SHA1
644a54282a7b2a68442ece836208c8e61229c881

SHA256
a6ab401737ef183ba8dafce28e2e9737739139c61a4f7a51945324b76dd73d20

SHA512
2f9722cee67fcdee4aeaeca962612c459492df2a73601f8c40ac9e7cbf90536fbfe38c640fc2fc728da93e5cd5358931c233077e6e6d7e4c4333e3b4ed3c65ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\metro-wordpress-themes.jpg
Filesize
85KB

MD5
99f7392f94a6572a0503d752a76c0cff

SHA1
f818711e4a756dbddc53415a6a885126c447391d

SHA256
48a3a0ac7feadf77e62a51d976c5092c56615577c6b7a9b593ec1658e9e7f41b

SHA512
c0cba096fc933a2c4795599756a924091cd042ad69e7ab6e88e7b2fdba3486459df5564fc34a5c10ea3c4ea2280f1774fcf603680b3ffbc2085d26b68ad783ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zerif-pro.jpg
Filesize
57KB

MD5
63cc6aba84ce6a4ae614022d58cf746c

SHA1
68a779f4c784da4e6df5916471786a06bc8ba1a9

SHA256
da190858e6689eab30459024ba6c84a1166810f9882e3b900602f1e8d30f0d43

SHA512
b644eb728aee7864588e906109b09220b2fefdd3a4f7ebd83ff602025bbace4a350bfd75a1b9df7dfe8808c8df7f895dcdd829bbd0506fdc4308c2d7c4dc2abc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
0d22f0c9c44b47e9556754af69f3b576

SHA1
d27a8b20bead6348415bb1a9a026cb3e7503652f

SHA256
d43e764f7dd5cc240fab1350406bdb17266335162bf5e1fb1e90e8f334a25cee

SHA512
83b2ec5ba026e7c4c78c0fe86be035b9cfdf912b4fe51e69f199277011d0d3cdcf7a15e9acb4ffb5e3e16c1b4d720e7adab2140bc8947d1435a92014f5e1a1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nj.exe
Filesize
459KB

MD5
03c4bd9a3cb44bf49f329fe04e93f537

SHA1
257dfb6782bc40e9878ada68f350fd8cce2179fb

SHA256
20c1815d9eecee28c6b86ac3e302756c8e4dbc5963d7d8df431e86f5d1dc41e0

SHA512
c91666311b655e3f9c213f3aa9d1d72c7610bfda227b5da0d8c5f17f56c16357f5f9224e831fe77f23ef66c8391a4a5e416d9b8f78dcc477a82a84fe5569c97c

Download Submit
\Users\Admin\AppData\Local\Temp\rv.exe
Filesize
386KB

MD5
2602c258d3fe5647f4f039b644abeaa6

SHA1
f733131b769735c82c56dd5b3f6aef4e3cabac9b

SHA256
ab682dce500913302f75c0cccc9f049fc3fa70b16b5de99788fb9cd520f47d3d

SHA512
db0aa91cbf071fa12951a5b9eeb6610aea3917edd93465863cdeafb939cc5ac9088fee8f64e96d375a428f236bbb589953e60cef3ff50ae2697940d12eba90c6

Download Submit
memory/1980-64-0x00000000003D0000-0x0000000000438000-memory.dmp

Filesize
416KB

Download
memory/2052-18-0x00000000010A0000-0x000000000111A000-memory.dmp

Filesize
488KB

Download
memory/2052-22-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/2052-46-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2052-55-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/2052-45-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-20-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

Filesize
8KB

Download
memory/2268-56-0x0000000000130000-0x00000000001AA000-memory.dmp

Filesize
488KB

Download
memory/2372-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2632-47-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2632-44-0x00000000739CE000-0x00000000739CF000-memory.dmp

Filesize
4KB

Download
memory/2632-19-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/2632-17-0x00000000739CE000-0x00000000739CF000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download