Analysis
-
max time kernel
154s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 11:15
Behavioral task
behavioral1
Sample
a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe
Resource
win10v2004-20220812-en
General
-
Target
a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe
-
Size
42KB
-
MD5
0904749cfefd47efdef540eab06a2e38
-
SHA1
18b1c4147a5902a379616c505ab5a1daa38a96d2
-
SHA256
a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d
-
SHA512
9839aec5eae09a6cefe5a4ad179ee747c488bc9f2e5b33c870bcc5ab1aa4f082eec5f37f0e25176f9f6fee9948dfaf209c3912dd1273e42871822fc4adc8fb2a
-
SSDEEP
768:gyz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888O:hzOCay4wV339rPjzbpLwRJ9pSdoIT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe -
resource yara_rule behavioral1/files/0x00080000000122f1-57.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-58.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-60.dat aspack_v212_v242 behavioral1/files/0x00080000000122f9-65.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-64.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-68.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-72.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-73.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-74.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-76.dat aspack_v212_v242 behavioral1/files/0x00080000000122f9-80.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-84.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-82.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-87.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-90.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-95.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-94.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-96.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-98.dat aspack_v212_v242 behavioral1/files/0x00080000000122f9-102.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-104.dat aspack_v212_v242 behavioral1/files/0x00080000000122f1-106.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-111.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-109.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-113.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-117.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-121.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-123.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-127.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-128.dat aspack_v212_v242 behavioral1/files/0x00080000000122f3-130.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-141.dat aspack_v212_v242 behavioral1/files/0x00080000000122f5-135.dat aspack_v212_v242 -
Executes dropped EXE 12 IoCs
pid Process 996 SVCHOST.EXE 848 SVCHOST.EXE 1516 SPOOLSV.EXE 1048 SVCHOST.EXE 1272 SPOOLSV.EXE 524 CTFMON.EXE 1352 SVCHOST.EXE 1776 SPOOLSV.EXE 1392 CTFMON.EXE 1324 CTFMON.EXE 1064 SPOOLSV.EXE 1528 CTFMON.EXE -
Loads dropped DLL 15 IoCs
pid Process 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 996 SVCHOST.EXE 996 SVCHOST.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 524 CTFMON.EXE 524 CTFMON.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\U: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\Z: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\J: CTFMON.EXE File opened (read-only) \??\F: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\L: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\L: CTFMON.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\G: CTFMON.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\R: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\O: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\S: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\O: CTFMON.EXE File opened (read-only) \??\J: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\T: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\N: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\F: SPOOLSV.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\F: CTFMON.EXE File opened (read-only) \??\X: CTFMON.EXE File opened (read-only) \??\N: CTFMON.EXE File opened (read-only) \??\K: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\P: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\W: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\Z: CTFMON.EXE File opened (read-only) \??\M: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\Y: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\T: CTFMON.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\H: a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe CTFMON.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 524 CTFMON.EXE 524 CTFMON.EXE 524 CTFMON.EXE 524 CTFMON.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 1516 SPOOLSV.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 1516 SPOOLSV.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 1516 SPOOLSV.EXE 1516 SPOOLSV.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 1516 SPOOLSV.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 1516 SPOOLSV.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 996 SVCHOST.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 524 CTFMON.EXE 1516 SPOOLSV.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 1516 SPOOLSV.EXE 996 SVCHOST.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 996 SVCHOST.EXE 524 CTFMON.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 524 CTFMON.EXE 524 CTFMON.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 996 SVCHOST.EXE 1516 SPOOLSV.EXE 524 CTFMON.EXE 524 CTFMON.EXE 524 CTFMON.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 996 SVCHOST.EXE 848 SVCHOST.EXE 1516 SPOOLSV.EXE 1048 SVCHOST.EXE 1272 SPOOLSV.EXE 524 CTFMON.EXE 1352 SVCHOST.EXE 1776 SPOOLSV.EXE 1392 CTFMON.EXE 1324 CTFMON.EXE 1064 SPOOLSV.EXE 1528 CTFMON.EXE 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2020 wrote to memory of 996 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 28 PID 2020 wrote to memory of 996 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 28 PID 2020 wrote to memory of 996 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 28 PID 2020 wrote to memory of 996 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 28 PID 996 wrote to memory of 848 996 SVCHOST.EXE 29 PID 996 wrote to memory of 848 996 SVCHOST.EXE 29 PID 996 wrote to memory of 848 996 SVCHOST.EXE 29 PID 996 wrote to memory of 848 996 SVCHOST.EXE 29 PID 996 wrote to memory of 1516 996 SVCHOST.EXE 30 PID 996 wrote to memory of 1516 996 SVCHOST.EXE 30 PID 996 wrote to memory of 1516 996 SVCHOST.EXE 30 PID 996 wrote to memory of 1516 996 SVCHOST.EXE 30 PID 1516 wrote to memory of 1048 1516 SPOOLSV.EXE 31 PID 1516 wrote to memory of 1048 1516 SPOOLSV.EXE 31 PID 1516 wrote to memory of 1048 1516 SPOOLSV.EXE 31 PID 1516 wrote to memory of 1048 1516 SPOOLSV.EXE 31 PID 1516 wrote to memory of 1272 1516 SPOOLSV.EXE 32 PID 1516 wrote to memory of 1272 1516 SPOOLSV.EXE 32 PID 1516 wrote to memory of 1272 1516 SPOOLSV.EXE 32 PID 1516 wrote to memory of 1272 1516 SPOOLSV.EXE 32 PID 1516 wrote to memory of 524 1516 SPOOLSV.EXE 33 PID 1516 wrote to memory of 524 1516 SPOOLSV.EXE 33 PID 1516 wrote to memory of 524 1516 SPOOLSV.EXE 33 PID 1516 wrote to memory of 524 1516 SPOOLSV.EXE 33 PID 524 wrote to memory of 1352 524 CTFMON.EXE 34 PID 524 wrote to memory of 1352 524 CTFMON.EXE 34 PID 524 wrote to memory of 1352 524 CTFMON.EXE 34 PID 524 wrote to memory of 1352 524 CTFMON.EXE 34 PID 524 wrote to memory of 1776 524 CTFMON.EXE 35 PID 524 wrote to memory of 1776 524 CTFMON.EXE 35 PID 524 wrote to memory of 1776 524 CTFMON.EXE 35 PID 524 wrote to memory of 1776 524 CTFMON.EXE 35 PID 524 wrote to memory of 1392 524 CTFMON.EXE 36 PID 524 wrote to memory of 1392 524 CTFMON.EXE 36 PID 524 wrote to memory of 1392 524 CTFMON.EXE 36 PID 524 wrote to memory of 1392 524 CTFMON.EXE 36 PID 996 wrote to memory of 1324 996 SVCHOST.EXE 37 PID 996 wrote to memory of 1324 996 SVCHOST.EXE 37 PID 996 wrote to memory of 1324 996 SVCHOST.EXE 37 PID 996 wrote to memory of 1324 996 SVCHOST.EXE 37 PID 2020 wrote to memory of 1064 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 38 PID 2020 wrote to memory of 1064 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 38 PID 2020 wrote to memory of 1064 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 38 PID 2020 wrote to memory of 1064 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 38 PID 2020 wrote to memory of 1528 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 39 PID 2020 wrote to memory of 1528 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 39 PID 2020 wrote to memory of 1528 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 39 PID 2020 wrote to memory of 1528 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 39 PID 2020 wrote to memory of 2024 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 40 PID 2020 wrote to memory of 2024 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 40 PID 2020 wrote to memory of 2024 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 40 PID 2020 wrote to memory of 2024 2020 a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe"C:\Users\Admin\AppData\Local\Temp\a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a7c8c3bac3babe118ac2fe624360e5355db7c8d8eebde685ffe21b902b9e7e1d.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2024
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
42KB
MD552c2e830d3f2ac67f56a778ec9193898
SHA1719caadd003631f16cb331a2b4d6058f32ef1ae9
SHA256d412fdfc178edff75157dce0d658da5b6faba5f6293e7246b1b53a36839c7040
SHA5125a5948472abdae9e58c19a6aabaece892b916c2bfd1dfce08327b2b4681b66ca56d327fbf3340ccedb0b7f25e6b76b8b361662321c15d4ee04d01d1f78b65f5d
-
Filesize
42KB
MD521bcc076308b7abed9d729ca343467ab
SHA1befd0f55f1e6d8a9a5f0fd51aa8ce8e29c766416
SHA256b9186f394352d4a1f2b48d454c8edf797986ca09b0280971ba56b968aefbc2c0
SHA51204f0435d692865fd1eb79090c69822cb4b1a41bfc37712f8ea96d35cfc14998cadb12f4ea55b005f69425ed0ceefcf555fa630cde533325d5bc6ade4f61e21b8
-
Filesize
42KB
MD552c2e830d3f2ac67f56a778ec9193898
SHA1719caadd003631f16cb331a2b4d6058f32ef1ae9
SHA256d412fdfc178edff75157dce0d658da5b6faba5f6293e7246b1b53a36839c7040
SHA5125a5948472abdae9e58c19a6aabaece892b916c2bfd1dfce08327b2b4681b66ca56d327fbf3340ccedb0b7f25e6b76b8b361662321c15d4ee04d01d1f78b65f5d
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD55cbe61f3dff746dd345dd38e1f68e465
SHA15874b12d5ae6ea6d7b7101b8dfd50d121e936f57
SHA256d9d0db35655b186bb2b93fa0e663698c888a3104a2b87aa1a9f6f8d1efc9a8c9
SHA512fece00c6ecc8f8c0a4a8583decc4d95f028146e13e3c58c31fffaf3245fc2697823fcd0c8b476e123182a6349d3cd0112e7ddae18d5a7fd27bdfb1b044663144
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD58331098e2883d2e2c13fe21f46f37fe3
SHA1cb4cd83f9915c2370b7a763f71ec84f8d0d4c502
SHA256687c9aa0517959edbbf339968df6a86e57c71348ca7072b64272718f74e18a43
SHA512c380e1271d99c4cfaac9b8ffec90e4efc70497d9d311a7999c068a0fde2780010b4c2854a7472539c25dd054801c45e0e8c0af2e9b9367ce2936d8c1ebd37e8c
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d
-
Filesize
42KB
MD55a22a6221805b9c49dd29a396cc6589f
SHA12c17348f8e321927a3186c2bf751aea46ee11ecb
SHA2567fbd105bde3c5fb7575823789f3b085293587cb83c5212989993dfba292bfb2b
SHA5123a9ab4d6933e4c3958e6860a19f743ec447f5f92b02bde700001cffa3155403b843205ac289c18f051b5db2cbfe5741c1d3223ed62ee0ea02a9b33c6399f5d9d