Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1036
Target ID:	2
Parent PID:	576
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	08:58:14
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\fiftikmernk852317.exe

Details

Is windows:	false
Is dropped:	true
PID:	912
Target ID:	5
Parent PID:	1036
Name:	fiftikmernk852317.exe
Path:	C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
Commandline:	C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
Size:	2358784
MD5:	5AE8471C10CDB2A59B950E66F8CA8A46
Time:	08:58:19
Date:	06/08/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	2379776
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AveMaria stealer	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UACMe UAC Bypass tool	Exploits
Contains functionality to hide user accounts	Hooking and other Techniques for Hiding and Protection	Hidden Users
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

Details

Is windows:	true
Is dropped:	false
PID:	1468
Target ID:	6
Parent PID:	912
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell Add-MpPreference -ExclusionPath C:\
Size:	452608
MD5:	92F44E405DB16AC55D97E3BFE3B132FA
Time:	08:58:54
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x21e10000
Modulesize:	466944
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	2512
Target ID:	8
Parent PID:	912
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\System32\cmd.exe
Size:	302592
MD5:	AD7B9C14083B52BC532FBA5948342B98
Time:	08:58:55
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4ab90000
Modulesize:	311296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\fiftikmernk852317.exe

"C:\Users\user\AppData\Roaming\fiftikmernk852317.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1420
Target ID:	10
Parent PID:	1860
Name:	fiftikmernk852317.exe
Path:	C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
Commandline:	"C:\Users\user\AppData\Roaming\fiftikmernk852317.exe"
Size:	2358784
MD5:	5AE8471C10CDB2A59B950E66F8CA8A46
Time:	08:59:07
Date:	06/08/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	2379776
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AveMaria stealer	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UACMe UAC Bypass tool	Exploits
Contains functionality to hide user accounts	Hooking and other Techniques for Hiding and Protection	Hidden Users
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	772
Target ID:	0
Parent PID:	576
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	08:58:13
Date:	06/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f090000
Modulesize:	1437696
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://208.67.105.179/fifthikmerozx.exej

unknown

76.8.53.133

http://208.67.105.179/fifthikmerozx.exerrC:

unknown

http://208.67.105.179/fifthikmerozx.exe.

unknown

http://208.67.105.179/fifthikmerozx.exe

208.67.105.179

http://208.67.105.179/fifthikmerozx.exelateC:

unknown

http://www.piriform.com/ccleaner

unknown

http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

unknown

https://github.com/syohex/java-simple-mine-sweeperC:

unknown

https://github.com/syohex/java-simple-mine-sweeper

unknown

http://www.piriform.co

unknown

There are 1 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

76.8.53.133

unknown

United States

Details

IP:	76.8.53.133
TargetID:	5
Current Path:	C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
Country:	United States
Countrycode:	USA
ASN number:	17185
ASN name:	QUONIXNETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Found malware configuration	AV Detection

208.67.105.179

unknown

United States

Details

IP:	208.67.105.179
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	20042
ASN name:	GRAYSON-COLLIN-COMMUNICATIONSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MaxConnectionsPer1_0Server

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MaxConnectionsPerServer

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

|4*

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

35*

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

38*

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\67B19

67B19

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles