Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1500
Target ID:	2
Parent PID:	596
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	10:35:15
Date:	14/10/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\godsawqop.exe

Details

Is windows:	false
Is dropped:	true
PID:	2692
Target ID:	4
Parent PID:	1500
Name:	godsawqop.exe
Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Commandline:	C:\Users\user\AppData\Roaming\godsawqop.exe
Size:	486912
MD5:	D1BAA9515F4C67A7B561938BBD81BC75
Time:	10:35:17
Date:	14/10/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x340000
Modulesize:	507904
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Binary or sample is protected by dotNetProtector	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\godsawqop.exe

Details

Is windows:	false
Is dropped:	true
PID:	2236
Target ID:	5
Parent PID:	2692
Name:	godsawqop.exe
Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Commandline:	C:\Users\user\AppData\Roaming\godsawqop.exe
Size:	486912
MD5:	D1BAA9515F4C67A7B561938BBD81BC75
Time:	10:35:41
Date:	14/10/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x340000
Modulesize:	507904
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Binary or sample is protected by dotNetProtector	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2252
Target ID:	0
Parent PID:	596
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	10:35:13
Date:	14/10/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x13f870000
Modulesize:	1437696
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://milkhost.ru/trasper/goshcj.exe

95.216.94.72

http://127.0.0.1:HTTP/1.1

unknown

http://DynDns.comDynDNS

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/

unknown

https://4hCltxiPdhpdC.com

unknown

https://api.telegram.org

unknown

http://crl.entrust.net/server1.crl0

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://ocsp.entrust.net03

unknown

http://mZWVLr.com

unknown

https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocumentdocument-----

unknown

https://api.telegram.orgP

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument

149.154.167.220

http://www.%s.comPA

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://api.telegram.org

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://secure.comodo.com/CPS0

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

http://crl.entrust.net/2048ca.crl0

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

milkhost.ru

95.216.94.72

Details

Name:	milkhost.ru
IP:	95.216.94.72
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	5
Current Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

95.216.94.72

milkhost.ru

Germany

Details

IP:	95.216.94.72
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	milkhost.ru

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	5
Current Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

i &

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

q!&

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

q#&

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\342E9

342E9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles