svcready | bddea66a3234b3773af6aff828f02df1c894516a54cbd2ccea6ff722262d0fa5

Analysis

max time kernel
1758s
max time network
1613s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-07-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbdy_document_07.06.2022.docm
Size

2.8MB
MD5

d099b942e5e42a6f4cf0428a16d9e234
SHA1

f79cc392c65c3242ceac6314bcf86a5162a87208
SHA256

bddea66a3234b3773af6aff828f02df1c894516a54cbd2ccea6ff722262d0fa5
SHA512

b253d0d91e7415cea6f44f1cd72bcb86e3195aa8fc09e3a3a10aeb10429518963e218a7c271e467c37604ef447136d1d14452d938eacd2b02d9a1900f481f321

Score

10^/10

svcready loader suricata

Malware Config

Signatures

Detects SVCReady loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1508-105-0x0000000000450000-0x000000000052E000-memory.dmp	family_svcready
behavioral1/memory/2008-109-0x00000000068B0000-0x00000000074FA000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
suricata: ET MALWARE Observed Win32/SVCReady Loader User-Agent
suricata: ET MALWARE Observed Win32/SVCReady Loader User-Agent
suricata
suricata: ET MALWARE Win32/SVCReady Loader CnC Activity M2
suricata: ET MALWARE Win32/SVCReady Loader CnC Activity M2
suricata
Executes dropped EXE 1 IoCs

Processes:

r8920.tmp.exe

pid process

1508 r8920.tmp.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

r8920.tmp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion r8920.tmp.exe
Loads dropped DLL 5 IoCs

Processes:

WINWORD.EXEr8920.tmp.exe

pid process

2008 WINWORD.EXE
1508 r8920.tmp.exe
1508 r8920.tmp.exe
1508 r8920.tmp.exe
1508 r8920.tmp.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1508	r8920.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	r8920.tmp.exe

pid	process
2008	WINWORD.EXE
1508	r8920.tmp.exe
1508	r8920.tmp.exe
1508	r8920.tmp.exe
1508	r8920.tmp.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

r8920.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	r8920.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	r8920.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	r8920.tmp.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1948 systeminfo.exe

pid	process
1948	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEr8920.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}\ = 0e0000005ac751876577a1aa7d34b3867f21ad406251b5792f90facb0043ca249ffaa265a59cb4ee411337a503b6a604e7d3	r8920.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}	r8920.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

r8920.tmp.exe

pid process

1508 r8920.tmp.exe
1508 r8920.tmp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeShutdownPrivilege 2008 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
2008 WINWORD.EXE

pid	process
2008	WINWORD.EXE

pid	process
1508	r8920.tmp.exe
1508	r8920.tmp.exe

pid	process
2008	WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	2008	WINWORD.EXE

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEr8920.tmp.exe

description	pid	process	target process
PID 2008 wrote to memory of 1716	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1716	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1716	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1716	2008	WINWORD.EXE	splwow64.exe
PID 2008 wrote to memory of 1508	2008	WINWORD.EXE	r8920.tmp.exe
PID 2008 wrote to memory of 1508	2008	WINWORD.EXE	r8920.tmp.exe
PID 2008 wrote to memory of 1508	2008	WINWORD.EXE	r8920.tmp.exe
PID 2008 wrote to memory of 1508	2008	WINWORD.EXE	r8920.tmp.exe
PID 1508 wrote to memory of 1948	1508	r8920.tmp.exe	systeminfo.exe
PID 1508 wrote to memory of 1948	1508	r8920.tmp.exe	systeminfo.exe
PID 1508 wrote to memory of 1948	1508	r8920.tmp.exe	systeminfo.exe
PID 1508 wrote to memory of 1948	1508	r8920.tmp.exe	systeminfo.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbdy_document_07.06.2022.docm"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\r8920.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\r8920.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\y891F.tmp.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\systeminfo.exe
    C:\Windows\System32\systeminfo.exe
    3⤵
    - Gathers system information
    PID:1948

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r8920.tmp.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8920.tmp.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y891F.tmp.dll

Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\r8920.tmp.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\y891F.tmp.dll

Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
\Users\Admin\AppData\Local\Temp\y891F.tmp.dll

Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
\Users\Admin\AppData\Local\Temp\y891F.tmp.dll

Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
\Users\Admin\AppData\Local\Temp\y891F.tmp.dll

Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
memory/1508-105-0x0000000000450000-0x000000000052E000-memory.dmp

Filesize
888KB

Download
memory/1508-104-0x0000000000450000-0x000000000052E000-memory.dmp

Filesize
888KB

Download
memory/1508-96-0x0000000000000000-mapping.dmp

Download
memory/1508-112-0x00000000000A0000-0x00000000000A6000-memory.dmp

Filesize
24KB

Download
memory/1716-93-0x0000000000000000-mapping.dmp

Download
memory/1716-94-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download
memory/1948-118-0x0000000000000000-mapping.dmp

Download
memory/2008-69-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-88-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-73-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-72-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-75-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-74-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-76-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-77-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-78-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-79-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-80-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-81-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-83-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-82-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-84-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-85-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-86-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-91-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-92-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-90-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-89-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-70-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-71-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-68-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-54-0x0000000072E91000-0x0000000072E94000-memory.dmp

Filesize
12KB

Download
memory/2008-66-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-67-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-64-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-65-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-63-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-60-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-62-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-61-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-59-0x00000000004BC000-0x00000000004C0000-memory.dmp

Filesize
16KB

Download
memory/2008-58-0x00000000718FD000-0x0000000071908000-memory.dmp

Filesize
44KB

Download
memory/2008-109-0x00000000068B0000-0x00000000074FA000-memory.dmp

Filesize
12.3MB

Download
memory/2008-110-0x0000000002450000-0x0000000002503000-memory.dmp

Filesize
716KB

Download
memory/2008-111-0x00000000068B0000-0x00000000074FA000-memory.dmp

Filesize
12.3MB

Download
memory/2008-57-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/2008-113-0x00000000718FD000-0x0000000071908000-memory.dmp

Filesize
44KB

Download
memory/2008-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-55-0x0000000070911000-0x0000000070913000-memory.dmp

Filesize
8KB

Download