Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3160
Target ID:	0
Parent PID:	564
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	00:39:03
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fc50000
Modulesize:	1437696
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Office Macro File Creation	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3244
Target ID:	2
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	00:39:05
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\winiti.exe

"C:\Users\user\AppData\Roaming\winiti.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3392
Target ID:	5
Parent PID:	3244
Name:	winiti.exe
Path:	C:\Users\user\AppData\Roaming\winiti.exe
Commandline:	"C:\Users\user\AppData\Roaming\winiti.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	00:39:08
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Yara detected Credential Stealer	Stealing of Sensitive Information
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Roaming\winiti.exe

"C:\Users\user\AppData\Roaming\winiti.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3468
Target ID:	6
Parent PID:	3392
Name:	winiti.exe
Path:	C:\Users\user\AppData\Roaming\winiti.exe
Commandline:	"C:\Users\user\AppData\Roaming\winiti.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	00:39:11
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Yara detected Credential Stealer	Stealing of Sensitive Information
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3668
Target ID:	7
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	00:39:27
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://198.46.174.139/71/winiti.exe

198.46.174.139

https://api.ipify.org/

172.67.74.152

https://api.ipify.org

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://tempuri.org/dxsss.xsd

unknown

https://account.dyn.com/

unknown

http://crl.entrust.net/server1.crl0

unknown

http://us2.smtp.mailhostbox.com

unknown

http://ocsp.entrust.net03

unknown

https://support.google.com/chrome/?p=plugin_flash

unknown

http://198.46.174.139/71/winiti.exej

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://smtp.jlahuachem.com

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://api.ipify.org/t

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://secure.comodo.com/CPS0

unknown

http://198.46.174.139/71/winiti.

unknown

http://198.46.174.139/71/winiti.exekkC:

unknown

http://crl.entrust.net/2048ca.crl0

unknown

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

smtp.jlahuachem.com

unknown

Details

Name:	smtp.jlahuachem.com
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.224

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.224
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

198.46.174.139

unknown

United States

Details

IP:	198.46.174.139
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

208.91.198.143

unknown

United States

Details

IP:	208.91.198.143
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.225

unknown

United States

Details

IP:	208.91.199.225
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.223

unknown

United States

Details

IP:	208.91.199.223
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.224

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.224
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	6
Current Path:	C:\Users\user\AppData\Roaming\winiti.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

? .

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

da.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

6c.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\29694

29694