Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
question.010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
question.010.21.doc
Resource
win10-en-20211014
General
-
Target
question.010.21.doc
-
Size
34KB
-
MD5
7a87ef713680cc71ba38945b305a9579
-
SHA1
08f858b709bea8c5e16bdd026338f02cb7605c88
-
SHA256
2a46ff6e614f60b3166614e9f7f94d0b001cda9b8a2b296e917b0b6aa54dba12
-
SHA512
91473bf2ea429e17198ec0dad53cd8323e4d9b520cf63a57857e45fef7edad823b29a648fcd4f166460a6b1bd43ccbcfe9c2c677d1c97d1885a6108c92cdaba0
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 896 1524 mshta.exe WINWORD.EXE -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1160 created 1400 1160 regsvr32.exe Explorer.EXE -
suricata: ET MALWARE BazaLoader Activity (GET)
suricata: ET MALWARE BazaLoader Activity (GET)
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1160-75-0x0000000001FE0000-0x0000000002206000-memory.dmp BazarLoaderVar5 behavioral1/memory/284-82-0x0000000001FA0000-0x00000000021C6000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 896 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exepid process 908 regsvr32.exe 1160 regsvr32.exe 284 regsvr32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1160 set thread context of 1320 1160 regsvr32.exe chrome.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 1160 regsvr32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEmshta.exeregsvr32.exeregsvr32.exedescription pid process target process PID 1524 wrote to memory of 896 1524 WINWORD.EXE mshta.exe PID 1524 wrote to memory of 896 1524 WINWORD.EXE mshta.exe PID 1524 wrote to memory of 896 1524 WINWORD.EXE mshta.exe PID 1524 wrote to memory of 896 1524 WINWORD.EXE mshta.exe PID 1524 wrote to memory of 1868 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1868 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1868 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1868 1524 WINWORD.EXE splwow64.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 896 wrote to memory of 908 896 mshta.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 908 wrote to memory of 1160 908 regsvr32.exe regsvr32.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe PID 1160 wrote to memory of 1320 1160 regsvr32.exe chrome.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question.010.21.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaRedSea.hta"3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\seaSeaLady.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\seaSeaLady.jpg5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "c:\users\public\seaSeaLady.jpg"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
42738ad7feedbfe8d14cdc27065ec2e2
SHA1c6afe927f3949af0d5d1eeae250f110f92e50ede
SHA2565cad2714e4529fd56e7c21d803cb9d3125cba2b2c3adc0cc81a6708cbeadebf0
SHA51276865f93303da634a2d48cd78389fa869b2722a2f2192c53d032f646132163105cc7ab92cc5952346b2b81be457aea44618c289d138c528f362aef4d396e651e
-
C:\users\public\seaRedSea.htaMD5
937fd4b981d32e8d76e28d924568fcee
SHA161d97a255a266e21dc326ad44e7c1d350eb0b91e
SHA256c6218d2af935d5b2c97d9d0fb4b2c35aa24709e5704b51c8866ba1af44eb9342
SHA51282646b237109cefa9d2ef6c5de1494052c0f80a7302e91311b96bf3032251932a55ef87c419cb530444c9ac0886a7309e59c840eb075bb5320ff59b28d85a0c2
-
\??\c:\users\public\seaSeaLady.jpgMD5
5ab9e8327a98e368ae62b1efad44e7f6
SHA1f63028fa656404b2f9e04f427d124e2ec8824541
SHA2561a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933
SHA512e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c
-
\Users\Public\seaSeaLady.jpgMD5
5ab9e8327a98e368ae62b1efad44e7f6
SHA1f63028fa656404b2f9e04f427d124e2ec8824541
SHA2561a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933
SHA512e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c
-
\Users\Public\seaSeaLady.jpgMD5
5ab9e8327a98e368ae62b1efad44e7f6
SHA1f63028fa656404b2f9e04f427d124e2ec8824541
SHA2561a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933
SHA512e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c
-
\Users\Public\seaSeaLady.jpgMD5
5ab9e8327a98e368ae62b1efad44e7f6
SHA1f63028fa656404b2f9e04f427d124e2ec8824541
SHA2561a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933
SHA512e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c
-
memory/284-82-0x0000000001FA0000-0x00000000021C6000-memory.dmpFilesize
2.1MB
-
memory/896-64-0x0000000000000000-mapping.dmp
-
memory/908-68-0x0000000000000000-mapping.dmp
-
memory/1160-75-0x0000000001FE0000-0x0000000002206000-memory.dmpFilesize
2.1MB
-
memory/1160-72-0x0000000000000000-mapping.dmp
-
memory/1524-59-0x00000000003E4000-0x00000000003E8000-memory.dmpFilesize
16KB
-
memory/1524-62-0x00000000003E4000-0x00000000003E8000-memory.dmpFilesize
16KB
-
memory/1524-60-0x00000000003E4000-0x00000000003E8000-memory.dmpFilesize
16KB
-
memory/1524-54-0x0000000072201000-0x0000000072204000-memory.dmpFilesize
12KB
-
memory/1524-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1524-58-0x00000000003E4000-0x00000000003E8000-memory.dmpFilesize
16KB
-
memory/1524-57-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1524-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1524-55-0x000000006FC81000-0x000000006FC83000-memory.dmpFilesize
8KB
-
memory/1868-67-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1868-66-0x0000000000000000-mapping.dmp