Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
Resource
win10v2004-20221111-en
General
-
Target
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
-
Size
1.2MB
-
MD5
eede44f9fff359762f09d0d819c97e0f
-
SHA1
17cc6ca62f6542ac183a7530335f5ba478a71e21
-
SHA256
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a
-
SHA512
cf41c3e6b9c586b31190813aa7c00c750bb00e9fb03ed3f21e4e686da6b22fe0686eb4de83e52c7dd6a80642fd9b09561ab62179147ae23beff1916fecad1424
-
SSDEEP
24576:Ft24ot2EiSDXv8WN7ZXJVrTtjxak7WehQe5Zee1yR3:RYZiSbkE5rTtjXXBZ/1s
Malware Config
Extracted
xtremerat
goodday.zapto.org
Šꮨ妘tvnew.otzo.com
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/memory/1156-91-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1156-93-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1988-97-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1988-99-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1156-100-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1988-102-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 1812 Skpe.exe 1156 Skpe.exe -
resource yara_rule behavioral1/memory/1156-78-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-81-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-82-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-88-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-90-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-91-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-93-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1988-99-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1156-100-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1988-102-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Skpe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Skpe.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe -
Loads dropped DLL 7 IoCs
pid Process 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 1812 Skpe.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Skpe.exe File opened (read-only) \??\Z: Skpe.exe File opened (read-only) \??\B: Skpe.exe File opened (read-only) \??\F: Skpe.exe File opened (read-only) \??\G: Skpe.exe File opened (read-only) \??\M: Skpe.exe File opened (read-only) \??\K: Skpe.exe File opened (read-only) \??\Q: Skpe.exe File opened (read-only) \??\U: Skpe.exe File opened (read-only) \??\Y: Skpe.exe File opened (read-only) \??\T: Skpe.exe File opened (read-only) \??\W: Skpe.exe File opened (read-only) \??\I: Skpe.exe File opened (read-only) \??\L: Skpe.exe File opened (read-only) \??\N: Skpe.exe File opened (read-only) \??\R: Skpe.exe File opened (read-only) \??\O: Skpe.exe File opened (read-only) \??\P: Skpe.exe File opened (read-only) \??\S: Skpe.exe File opened (read-only) \??\X: Skpe.exe File opened (read-only) \??\A: Skpe.exe File opened (read-only) \??\E: Skpe.exe File opened (read-only) \??\H: Skpe.exe File opened (read-only) \??\J: Skpe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1812 set thread context of 1156 1812 Skpe.exe 29 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Skpe.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf\ = 2d7f3fc274e4f95aae74dbb729f4914d Skpe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf Skpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1108 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1812 Skpe.exe 1812 Skpe.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1812 Skpe.exe 1812 Skpe.exe 1108 WINWORD.EXE 1108 WINWORD.EXE 1988 sethc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1108 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 27 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 900 wrote to memory of 1812 900 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 28 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1812 wrote to memory of 1156 1812 Skpe.exe 29 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1156 wrote to memory of 1988 1156 Skpe.exe 31 PID 1108 wrote to memory of 1044 1108 WINWORD.EXE 35 PID 1108 wrote to memory of 1044 1108 WINWORD.EXE 35 PID 1108 wrote to memory of 1044 1108 WINWORD.EXE 35 PID 1108 wrote to memory of 1044 1108 WINWORD.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\Skpe.exe"C:\Users\Admin\AppData\Local\Temp\Skpe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\Skpe.exeC:\Users\Admin\AppData\Local\Temp\Skpe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
28KB
MD52dc148f5161f0914a2ca0136b088ed44
SHA1cb47e69bb0fce98c6a16b687e05bba97143822bf
SHA25684730b81737bf67aa69383aa304a89b5b4da29190d8d6268f80b6e4df90d9463
SHA512e5a951481ca01eccc3c77069642256ca6822e837240c9b9cee78305570fd05998a98d9dae0e80e71811d7a4953df54d1b2fd732d35fb5e8729dfbfd773cfff21
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842