Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win10v2004-20220414-en
General
-
Target
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
-
Size
515KB
-
MD5
0299feffabdd3815d2249a5643203e3f
-
SHA1
bdba33cf063fada308e401ab34980c62bc7dacbc
-
SHA256
ed220a4ab4a9de44a5d1cd380be9dab98e90f820003e38bff4163ff4c881ea30
-
SHA512
8ff00b998c386bfe96da6c7dce2c1e5cae6b671c0ebcef0d7da7a8f3fd9150af76587c11a3771f4c8e8b3f7301a642691a2d7cf99cc4bac1f052b8486826125d
Malware Config
Extracted
metasploit
windows/download_exec
http://42.194.199.231:443/9ws9
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
-
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 5 588 rundll32.exe 7 588 rundll32.exe 8 588 rundll32.exe 10 588 rundll32.exe 11 588 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
f42.exepid process 1436 f42.exe -
Loads dropped DLL 3 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exepid process 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f42.exedescription pid process target process PID 1436 set thread context of 588 1436 f42.exe rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1160 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1160 WINWORD.EXE 1160 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exeWINWORD.EXEf42.exedescription pid process target process PID 240 wrote to memory of 1436 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 240 wrote to memory of 1436 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 240 wrote to memory of 1436 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 240 wrote to memory of 1436 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 240 wrote to memory of 1160 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 240 wrote to memory of 1160 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 240 wrote to memory of 1160 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 240 wrote to memory of 1160 240 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 1160 wrote to memory of 1572 1160 WINWORD.EXE splwow64.exe PID 1160 wrote to memory of 1572 1160 WINWORD.EXE splwow64.exe PID 1160 wrote to memory of 1572 1160 WINWORD.EXE splwow64.exe PID 1160 wrote to memory of 1572 1160 WINWORD.EXE splwow64.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe PID 1436 wrote to memory of 588 1436 f42.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f42.exe"C:\Users\Admin\AppData\Local\Temp\f42.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe3⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.docFilesize
37KB
MD5528a70e3f75240ae5ef6bfa8f10d6191
SHA117c312f99a0e365168c80ac6395bf1e163951ba3
SHA256f0025b863f02d5507f2f83fe9412ee1436320024a5b6ec48bc2700e61accfc7a
SHA5127cec39187027ab42562c47d1a71da83350792bdcdf7b3b4899a82d742f47ccf4a30cc32086110cfeea03d3f2dccd093fcb2b319b5585a34da6633b614d52f468
-
C:\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/588-76-0x0000000002E80000-0x0000000002F0C000-memory.dmpFilesize
560KB
-
memory/588-75-0x0000000002A80000-0x0000000002E80000-memory.dmpFilesize
4.0MB
-
memory/588-73-0x0000000002E80000-0x0000000002F0C000-memory.dmpFilesize
560KB
-
memory/588-72-0x0000000002A80000-0x0000000002E80000-memory.dmpFilesize
4.0MB
-
memory/588-70-0x000000000002178C-mapping.dmp
-
memory/1160-62-0x0000000072AD1000-0x0000000072AD4000-memory.dmpFilesize
12KB
-
memory/1160-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1160-63-0x0000000070551000-0x0000000070553000-memory.dmpFilesize
8KB
-
memory/1160-61-0x0000000000000000-mapping.dmp
-
memory/1160-68-0x000000007153D000-0x0000000071548000-memory.dmpFilesize
44KB
-
memory/1160-74-0x000000007153D000-0x0000000071548000-memory.dmpFilesize
44KB
-
memory/1160-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1160-78-0x000000007153D000-0x0000000071548000-memory.dmpFilesize
44KB
-
memory/1436-58-0x0000000000000000-mapping.dmp
-
memory/1572-69-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1572-67-0x0000000000000000-mapping.dmp