Analysis
-
max time kernel
1801s -
max time network
1800s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 12:23
Static task
static1
Behavioral task
behavioral1
Sample
9aaf287388698afd5ef8bfeb1fb8ee24.rtf
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
9aaf287388698afd5ef8bfeb1fb8ee24.rtf
Resource
win10-en-20210920
General
-
Target
9aaf287388698afd5ef8bfeb1fb8ee24.rtf
-
Size
23KB
-
MD5
9aaf287388698afd5ef8bfeb1fb8ee24
-
SHA1
97c0f28698ddc4e9b512a37f0230de3846922649
-
SHA256
c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3
-
SHA512
e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3
Malware Config
Extracted
xloader
2.5
mxnu
http://www.naplesconciergerealty.com/mxnu/
insightmyhome.com
gabriellamaxey.com
029atk.xyz
marshconstructions.com
technichoffghosts.com
blue-ivy-boutique-au.com
1sunsetgroup.com
elfkuhnispb.store
caoliudh.club
verifiedpaypal.net
jellyice-tr.com
gatescres.com
bloomberq.online
crystaltopagent.net
uggs-line.com
ecommerceplatform.xyz
historyofcambridge.com
sattaking-gaziabad.xyz
digisor.com
beachpawsmobilegrooming.com
whitebot.xyz
zacky6.online
qlfa8gzk8f.com
scottjasonfowler.com
influxair.com
desongli.com
xn--w7uy63f0ne2sj.com
pinup722bk.com
haohuatour.com
dharmathinkural.com
hanjyu.com
tbrhc.com
clarityflux.com
meltonandcompany.com
revgeek.com
onehigh.club
closetu.com
yama-nkok.com
brandonhistoryandinfo.com
funkidsroomdecor.com
epilasyonmerkeziankara.com
265411.com
watch12.online
dealsbonaza.com
gold2guide.art
tomclark.online
877961.com
washingtonboatrentals.com
promovart.com
megapollice.online
taquerialoteria.com
foxsontreeservice.com
safebookkeeping.com
theeducationwheel.online
sasanos.com
procurovariedades.com
normandia.pro
ingdalynnia.xyz
campusguideconsulting.com
ashramseries.com
clubcupids.art
mortgagerates.solutions
deepscanlabs.com
insulated-box.com
Signatures
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/924-68-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/924-69-0x000000000041D4A0-mapping.dmp xloader behavioral1/memory/924-75-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1592-83-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/1348-96-0x000000000041D4A0-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 984 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
vbc.exevbc.exewinhh1lxj9.exewinhh1lxj9.exepid process 1788 vbc.exe 924 vbc.exe 1048 winhh1lxj9.exe 1348 winhh1lxj9.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exewinhh1lxj9.exepid process 984 EQNEDT32.EXE 984 EQNEDT32.EXE 984 EQNEDT32.EXE 1788 vbc.exe 1048 winhh1lxj9.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DBFPEZIXW82L = "C:\\Program Files (x86)\\Cox4dufwh\\winhh1lxj9.exe" netsh.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
vbc.exevbc.exenetsh.exewinhh1lxj9.exedescription pid process target process PID 1788 set thread context of 924 1788 vbc.exe vbc.exe PID 924 set thread context of 1392 924 vbc.exe Explorer.EXE PID 924 set thread context of 1392 924 vbc.exe Explorer.EXE PID 1592 set thread context of 1392 1592 netsh.exe Explorer.EXE PID 1048 set thread context of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netsh.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe netsh.exe File created C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 18 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_1 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_2 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_1 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_2 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_1 C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEnetsh.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vbc.exenetsh.exepid process 924 vbc.exe 924 vbc.exe 924 vbc.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
vbc.exenetsh.exepid process 924 vbc.exe 924 vbc.exe 924 vbc.exe 924 vbc.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
vbc.exeExplorer.EXEnetsh.exewinhh1lxj9.exedescription pid process Token: SeDebugPrivilege 924 vbc.exe Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeDebugPrivilege 1592 netsh.exe Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeDebugPrivilege 1348 winhh1lxj9.exe Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE Token: SeShutdownPrivilege 1392 Explorer.EXE -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEvbc.exenetsh.exeExplorer.EXEwinhh1lxj9.exedescription pid process target process PID 984 wrote to memory of 1788 984 EQNEDT32.EXE vbc.exe PID 984 wrote to memory of 1788 984 EQNEDT32.EXE vbc.exe PID 984 wrote to memory of 1788 984 EQNEDT32.EXE vbc.exe PID 984 wrote to memory of 1788 984 EQNEDT32.EXE vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1788 wrote to memory of 924 1788 vbc.exe vbc.exe PID 1632 wrote to memory of 1636 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1636 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1636 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1636 1632 WINWORD.EXE splwow64.exe PID 924 wrote to memory of 1592 924 vbc.exe netsh.exe PID 924 wrote to memory of 1592 924 vbc.exe netsh.exe PID 924 wrote to memory of 1592 924 vbc.exe netsh.exe PID 924 wrote to memory of 1592 924 vbc.exe netsh.exe PID 1592 wrote to memory of 1700 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1700 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1700 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1700 1592 netsh.exe cmd.exe PID 1392 wrote to memory of 1048 1392 Explorer.EXE winhh1lxj9.exe PID 1392 wrote to memory of 1048 1392 Explorer.EXE winhh1lxj9.exe PID 1392 wrote to memory of 1048 1392 Explorer.EXE winhh1lxj9.exe PID 1392 wrote to memory of 1048 1392 Explorer.EXE winhh1lxj9.exe PID 1592 wrote to memory of 1916 1592 netsh.exe Firefox.exe PID 1592 wrote to memory of 1916 1592 netsh.exe Firefox.exe PID 1592 wrote to memory of 1916 1592 netsh.exe Firefox.exe PID 1592 wrote to memory of 1916 1592 netsh.exe Firefox.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1048 wrote to memory of 1348 1048 winhh1lxj9.exe winhh1lxj9.exe PID 1592 wrote to memory of 1916 1592 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9aaf287388698afd5ef8bfeb1fb8ee24.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
C:\Users\Admin\AppData\Local\Temp\v3v4fyxld38pebqqMD5
bdc3505c88522a01db5c675983355a86
SHA18465c710eb29a7a0696bb5e83d27961da67a03a0
SHA256620ccc5897f1c5dca0e6a71bd47c6c8d9ef8aeb6d25b7fc1cdd46e6873587915
SHA512717fdc1b782f2c4d78bf4588e3dee614f95a91f3213201f33f6546cbf2daa29c4e9e5b8b4911abe196cdd6b7c5c5ae6a3b7efddecd75cc5d38f09b6e10e8c58b
-
C:\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
C:\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
C:\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
\Users\Admin\AppData\Local\Temp\nsb2B36.tmp\dzksq.dllMD5
52a665d244ddb5192b3494f4ca1bd978
SHA107bd3f140917cd3992e9b9ffc120c84af834472d
SHA25663466cfda81d5da190e8d3198ccff849e7c651f472efd58d277add978a50f131
SHA512c892de4792dd99d8d9eb3da0e42d80132bb613062cec56faa0429019ca3e8e32804e2d065f72cbc8c960000013e113753bcd15b836e4d19f147f37f2f12e5648
-
\Users\Admin\AppData\Local\Temp\nst5294.tmp\dzksq.dllMD5
52a665d244ddb5192b3494f4ca1bd978
SHA107bd3f140917cd3992e9b9ffc120c84af834472d
SHA25663466cfda81d5da190e8d3198ccff849e7c651f472efd58d277add978a50f131
SHA512c892de4792dd99d8d9eb3da0e42d80132bb613062cec56faa0429019ca3e8e32804e2d065f72cbc8c960000013e113753bcd15b836e4d19f147f37f2f12e5648
-
\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
\Users\Public\vbc.exeMD5
36e60a2ecd13869a78ad7bc9312681d0
SHA18ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36
-
memory/924-76-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/924-68-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/924-71-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/924-73-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/924-75-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/924-69-0x000000000041D4A0-mapping.dmp
-
memory/1048-89-0x0000000000000000-mapping.dmp
-
memory/1348-98-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/1348-96-0x000000000041D4A0-mapping.dmp
-
memory/1392-77-0x0000000004220000-0x0000000004308000-memory.dmpFilesize
928KB
-
memory/1392-74-0x0000000007220000-0x000000000733C000-memory.dmpFilesize
1.1MB
-
memory/1392-86-0x0000000006010000-0x00000000060CE000-memory.dmpFilesize
760KB
-
memory/1592-80-0x0000000000000000-mapping.dmp
-
memory/1592-82-0x0000000000D50000-0x0000000000D6B000-memory.dmpFilesize
108KB
-
memory/1592-84-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1592-83-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1592-85-0x0000000000980000-0x0000000000A10000-memory.dmpFilesize
576KB
-
memory/1632-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-58-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1632-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-55-0x0000000072DB1000-0x0000000072DB4000-memory.dmpFilesize
12KB
-
memory/1632-56-0x0000000070831000-0x0000000070833000-memory.dmpFilesize
8KB
-
memory/1636-79-0x000007FEFC461000-0x000007FEFC463000-memory.dmpFilesize
8KB
-
memory/1636-78-0x0000000000000000-mapping.dmp
-
memory/1700-81-0x0000000000000000-mapping.dmp
-
memory/1788-63-0x0000000000000000-mapping.dmp