Analysis
-
max time kernel
210s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc
Resource
win10v2004-20220812-en
General
-
Target
3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc
-
Size
367KB
-
MD5
7ad977e490ead6a113d88aa8091d3dfd
-
SHA1
f5f3c7a449bc658dee88153fbc6cf21061eaa1df
-
SHA256
3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006
-
SHA512
84de4a09c3533f94bf76bbaaf47ee67f5b1da809a40140d570ff7000f912e2f6217dc55f1c42895870c26682c7c4ca52803b5fc802fb039755563d3d20377b5c
-
SSDEEP
6144:CEnfyZlEDVXmnIW2iDKPbIz7yStMvWqDJv7yC3dLPm+UidwOydGWm0CFJ:CEnfyAonINPbwCHDNeCk+UiWOyZwJ
Malware Config
Extracted
pony
http://krossfight.eu/trustmebaby/gate.php
-
payload_url
http://www.conteudosdigitais.org/calc.exe
http://autohaus-gutmann.de/calc.exe
http://firstdive.co.kr/calc.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GssFip.exepid process 1540 GssFip.exe -
Processes:
resource yara_rule behavioral1/memory/1540-66-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1540-67-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1540-68-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE 1516 WINWORD.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D21D351A-0834-4FED-9531-FC344BB8F916}\1.0\0\win32\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms\\MSScriptControl.exd" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\TypeLib\{68A9316E-91FD-4DDE-9746-EED27D948138}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C71-067D-11D0-95D8-00A02463AB28}\ = "IScriptProcedureCollection" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D21D351A-0834-4FED-9531-FC344BB8F916}\1.0\0\win32 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68A9316E-91FD-4DDE-9746-EED27D948138}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D21D351A-0834-4FED-9531-FC344BB8F916} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\ = "IScriptModuleCollection" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B167D60-8605-11D0-ABCB-00A0C90FFFC0}\ = "DScriptControlSource" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
GssFip.exedescription pid process Token: SeImpersonatePrivilege 1540 GssFip.exe Token: SeTcbPrivilege 1540 GssFip.exe Token: SeChangeNotifyPrivilege 1540 GssFip.exe Token: SeCreateTokenPrivilege 1540 GssFip.exe Token: SeBackupPrivilege 1540 GssFip.exe Token: SeRestorePrivilege 1540 GssFip.exe Token: SeIncreaseQuotaPrivilege 1540 GssFip.exe Token: SeAssignPrimaryTokenPrivilege 1540 GssFip.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE 1516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1516 wrote to memory of 1540 1516 WINWORD.EXE GssFip.exe PID 1516 wrote to memory of 1540 1516 WINWORD.EXE GssFip.exe PID 1516 wrote to memory of 1540 1516 WINWORD.EXE GssFip.exe PID 1516 wrote to memory of 1540 1516 WINWORD.EXE GssFip.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3d53b54d98e14f9de2a2316fe09ee6b9fe27f2dacdd4ad85f52dd1e16eebb006.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\GssFip.exeGssFip.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD521c9a9cfc109e50647eaed89996ddf9e
SHA13cfe31aaab6b7894b89f2ca5c3d2c147e865baea
SHA256e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710
SHA512e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b
-
Filesize
60KB
MD521c9a9cfc109e50647eaed89996ddf9e
SHA13cfe31aaab6b7894b89f2ca5c3d2c147e865baea
SHA256e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710
SHA512e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b
-
Filesize
60KB
MD521c9a9cfc109e50647eaed89996ddf9e
SHA13cfe31aaab6b7894b89f2ca5c3d2c147e865baea
SHA256e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710
SHA512e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b
-
Filesize
60KB
MD521c9a9cfc109e50647eaed89996ddf9e
SHA13cfe31aaab6b7894b89f2ca5c3d2c147e865baea
SHA256e0e61cee5afe885e2ef811f2ebd21f803f4d85b2c5b5ed3c2483578b7c00d710
SHA512e6f6ddbc3589673f3ab5c4a91d15141bde268d2ca0d9b18375d461beb06158e9f9edc2e5de59d9566aab235c3f99f38f4478ce73089b2c4394fc8fca4de4496b