Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win10v2004-20220414-en
General
-
Target
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
-
Size
515KB
-
MD5
0299feffabdd3815d2249a5643203e3f
-
SHA1
bdba33cf063fada308e401ab34980c62bc7dacbc
-
SHA256
ed220a4ab4a9de44a5d1cd380be9dab98e90f820003e38bff4163ff4c881ea30
-
SHA512
8ff00b998c386bfe96da6c7dce2c1e5cae6b671c0ebcef0d7da7a8f3fd9150af76587c11a3771f4c8e8b3f7301a642691a2d7cf99cc4bac1f052b8486826125d
Malware Config
Extracted
metasploit
windows/download_exec
http://42.194.199.231:443/9ws9
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
-
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 5 1512 rundll32.exe 7 1512 rundll32.exe 8 1512 rundll32.exe 10 1512 rundll32.exe 12 1512 rundll32.exe 13 1512 rundll32.exe 14 1512 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
f42.exepid process 1692 f42.exe -
Loads dropped DLL 3 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exepid process 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f42.exedescription pid process target process PID 1692 set thread context of 1512 1692 f42.exe rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1996 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1996 WINWORD.EXE 1996 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exeWINWORD.EXEf42.exedescription pid process target process PID 1160 wrote to memory of 1692 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 1160 wrote to memory of 1692 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 1160 wrote to memory of 1692 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 1160 wrote to memory of 1692 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 1160 wrote to memory of 1996 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 1160 wrote to memory of 1996 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 1160 wrote to memory of 1996 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 1160 wrote to memory of 1996 1160 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 1996 wrote to memory of 1804 1996 WINWORD.EXE splwow64.exe PID 1996 wrote to memory of 1804 1996 WINWORD.EXE splwow64.exe PID 1996 wrote to memory of 1804 1996 WINWORD.EXE splwow64.exe PID 1996 wrote to memory of 1804 1996 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe PID 1692 wrote to memory of 1512 1692 f42.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f42.exe"C:\Users\Admin\AppData\Local\Temp\f42.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe3⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.docFilesize
37KB
MD5528a70e3f75240ae5ef6bfa8f10d6191
SHA117c312f99a0e365168c80ac6395bf1e163951ba3
SHA256f0025b863f02d5507f2f83fe9412ee1436320024a5b6ec48bc2700e61accfc7a
SHA5127cec39187027ab42562c47d1a71da83350792bdcdf7b3b4899a82d742f47ccf4a30cc32086110cfeea03d3f2dccd093fcb2b319b5585a34da6633b614d52f468
-
C:\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
memory/1160-54-0x0000000075581000-0x0000000075583000-memory.dmpFilesize
8KB
-
memory/1512-75-0x0000000000B70000-0x0000000000BAE000-memory.dmpFilesize
248KB
-
memory/1512-73-0x0000000000B70000-0x0000000000BAE000-memory.dmpFilesize
248KB
-
memory/1512-72-0x0000000002BB0000-0x0000000002FB0000-memory.dmpFilesize
4.0MB
-
memory/1512-70-0x0000000000DC178C-mapping.dmp
-
memory/1692-58-0x0000000000000000-mapping.dmp
-
memory/1804-68-0x0000000000000000-mapping.dmp
-
memory/1804-69-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/1996-66-0x000000007130D000-0x0000000071318000-memory.dmpFilesize
44KB
-
memory/1996-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1996-63-0x0000000070321000-0x0000000070323000-memory.dmpFilesize
8KB
-
memory/1996-62-0x00000000728A1000-0x00000000728A4000-memory.dmpFilesize
12KB
-
memory/1996-74-0x000000007130D000-0x0000000071318000-memory.dmpFilesize
44KB
-
memory/1996-61-0x0000000000000000-mapping.dmp