netwire | 53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013

Analysis

max time kernel
133s
max time network
168s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013.rtf
Size

471KB
MD5

ea20d11e52523d107699a5d829a30325
SHA1

abcdb6f32ee84eb7a4e96bf345097f9ee49a52e5
SHA256

53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013
SHA512

5ab2ed273fda016a9cd1f201c261f1ef9dfaedb0cef58bc6390ad30832c97d6b7c2989e9fed64f61a2c52cd89b8d186fe45d05a3434516f310dd62c5ec7c5022
SSDEEP

6144:bETwf8NyUAsVkv0AC51jFELREqDg9TtFqH6DnY7IVF74VFyZwco0yVq3F:b2wINc0A4dgluTaID8xcX3F

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/768-80-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/768-83-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/768-82-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/768-88-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/768-96-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1700-123-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1700-128-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	280	1228	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	928	1228	cmd.exe	WINWORD.EXE

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exeHost.exeHost.exe

pid process

2036 svchost.exe
768 svchost.exe
984 Host.exe
1700 Host.exe

pid	process
2036	svchost.exe
768	svchost.exe
984	Host.exe
1700	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N6Y6J35R-2CDG-88SS-3846-X16RE2Q3U7Y6}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N6Y6J35R-2CDG-88SS-3846-X16RE2Q3U7Y6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Host.exe\""	Host.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\svchost.exe	upx
C:\Users\Admin\AppData\Local\svchost.exe	upx
\Users\Admin\AppData\Local\svchost.exe	upx
behavioral1/memory/2036-70-0x0000000000400000-0x0000000000505000-memory.dmp	upx
C:\Users\Admin\AppData\Local\svchost.exe	upx
behavioral1/memory/2036-86-0x0000000000400000-0x0000000000505000-memory.dmp	upx
C:\Users\Admin\AppData\Local\svchost.exe	upx
\Users\Admin\AppData\Local\Temp\Host.exe	upx
behavioral1/memory/984-100-0x0000000000400000-0x0000000000505000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Host.exe	upx
\Users\Admin\AppData\Local\Temp\Host.exe	upx
C:\Users\Admin\AppData\Local\Temp\Host.exe	upx
behavioral1/memory/984-111-0x0000000000400000-0x0000000000505000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Host.exe	upx
C:\Users\Admin\AppData\Local\Temp\Host.exe	upx

Loads dropped DLL 5 IoCs

Processes:

WINWORD.EXEsvchost.exeHost.exe

pid process

1228 WINWORD.EXE
1228 WINWORD.EXE
768 svchost.exe
768 svchost.exe
984 Host.exe

pid	process
1228	WINWORD.EXE
1228	WINWORD.EXE
768	svchost.exe
768	svchost.exe
984	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exeHost.exe

description pid process target process

PID 2036 set thread context of 768 2036 svchost.exe svchost.exe
PID 984 set thread context of 1700 984 Host.exe Host.exe
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 2036 set thread context of 768	2036	svchost.exe	svchost.exe
PID 984 set thread context of 1700	984	Host.exe	Host.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1228 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exeHost.exe

pid process

2036 svchost.exe
984 Host.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

1228 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXEsvchost.exeHost.exeWINWORD.EXE

pid process

1228 WINWORD.EXE
1228 WINWORD.EXE
2036 svchost.exe
2036 svchost.exe
984 Host.exe
984 Host.exe
316 WINWORD.EXE
316 WINWORD.EXE

pid	process
1228	WINWORD.EXE

pid	process
2036	svchost.exe
984	Host.exe

pid	process
1228	WINWORD.EXE

pid	process
1228	WINWORD.EXE
1228	WINWORD.EXE
2036	svchost.exe
2036	svchost.exe
984	Host.exe
984	Host.exe
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

WINWORD.EXEsvchost.exesvchost.execmd.execmd.exeHost.exe

description	pid	process	target process
PID 1228 wrote to memory of 1508	1228	WINWORD.EXE	splwow64.exe
PID 1228 wrote to memory of 1508	1228	WINWORD.EXE	splwow64.exe
PID 1228 wrote to memory of 1508	1228	WINWORD.EXE	splwow64.exe
PID 1228 wrote to memory of 1508	1228	WINWORD.EXE	splwow64.exe
PID 1228 wrote to memory of 2036	1228	WINWORD.EXE	svchost.exe
PID 1228 wrote to memory of 2036	1228	WINWORD.EXE	svchost.exe
PID 1228 wrote to memory of 2036	1228	WINWORD.EXE	svchost.exe
PID 1228 wrote to memory of 2036	1228	WINWORD.EXE	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 768	2036	svchost.exe	svchost.exe
PID 1228 wrote to memory of 280	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 280	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 280	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 280	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 928	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 928	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 928	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 928	1228	WINWORD.EXE	cmd.exe
PID 1228 wrote to memory of 316	1228	WINWORD.EXE	WINWORD.EXE
PID 1228 wrote to memory of 316	1228	WINWORD.EXE	WINWORD.EXE
PID 1228 wrote to memory of 316	1228	WINWORD.EXE	WINWORD.EXE
PID 1228 wrote to memory of 316	1228	WINWORD.EXE	WINWORD.EXE
PID 768 wrote to memory of 984	768	svchost.exe	Host.exe
PID 768 wrote to memory of 984	768	svchost.exe	Host.exe
PID 768 wrote to memory of 984	768	svchost.exe	Host.exe
PID 768 wrote to memory of 984	768	svchost.exe	Host.exe
PID 280 wrote to memory of 1704	280	cmd.exe	reg.exe
PID 280 wrote to memory of 1704	280	cmd.exe	reg.exe
PID 280 wrote to memory of 1704	280	cmd.exe	reg.exe
PID 280 wrote to memory of 1704	280	cmd.exe	reg.exe
PID 928 wrote to memory of 1988	928	cmd.exe	reg.exe
PID 928 wrote to memory of 1988	928	cmd.exe	reg.exe
PID 928 wrote to memory of 1988	928	cmd.exe	reg.exe
PID 928 wrote to memory of 1988	928	cmd.exe	reg.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe
PID 984 wrote to memory of 1700	984	Host.exe	Host.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013.rtf"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\..\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\svchost.exe
    C:\Users\Admin\AppData\Local\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\Host.exe
      "C:\Users\Admin\AppData\Local\Temp\Host.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\Host.exe
        
        C:\Users\Admin\AppData\Local\Temp\Host.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
    3⤵
    PID:1988
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013.rtf"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013.rtf:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013.rtf

Filesize
162B

MD5
81eb29eb6519d8aaba96390dc602255a

SHA1
837998e87ed9b90ea03c143db41da2dcc4c71b3c

SHA256
1ca56124124e08fa5536b78b7478ee9397b8033b997ae1b88f38444425a90d17

SHA512
dee10149229acd6cfe35d163f7d946260ee91b0c0cc1c7e583ce45da9d9bbecb2ba69bcf3237409b208feb96bdca6b161ef69d59a4160633268214c013f21120

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
f1d7cf8b7fbc2ed8c66a31b9a0f8a843

SHA1
b8b9250dceedcfe29d8e69530f055407ef28ed9e

SHA256
022d6e174c0f7b82da16f3498a10c3b5153403d87196992d23a93a3527be746c

SHA512
c304e5d2eef2bdbbddeb10a174f874f85d3aed7623d9d6281027bd76bcfd8632a653bc9eb72a0b832d7555a28ff19ddd98c1b15926fd7b6b4aa9f4750cf18837

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
\Users\Admin\AppData\Local\svchost.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
\Users\Admin\AppData\Local\svchost.exe

Filesize
377KB

MD5
708664e633080488dc23f9162f01aee9

SHA1
da976e353ccd297f83ee6bc0c1c20030dde82fa1

SHA256
e968843aa90779df32bed92bb2dc9059e29ad23674115e6216a8d4c39148e504

SHA512
4558bedc7886e8d128680a5c8c2627a5a3cea8494e423665dffc4786337837b17ab70665da07af5eded7899dd81c1619f10c7b0931e247bac8a5b1bc7e48c60b

Download Submit
memory/280-89-0x0000000000000000-mapping.dmp

Download
memory/316-91-0x0000000000000000-mapping.dmp

Download
memory/316-108-0x0000000070F1D000-0x0000000070F28000-memory.dmp

Filesize
44KB

Download
memory/768-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-75-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-80-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-83-0x00000000004021DA-mapping.dmp

Download
memory/768-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-74-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-88-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/768-72-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/928-90-0x0000000000000000-mapping.dmp

Download
memory/984-94-0x0000000000000000-mapping.dmp

Download
memory/984-111-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/984-100-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1228-54-0x00000000724B1000-0x00000000724B4000-memory.dmp

Filesize
12KB

Download
memory/1228-58-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1228-69-0x0000000005AB0000-0x0000000005BB5000-memory.dmp

Filesize
1.0MB

Download
memory/1228-62-0x00000000050B0000-0x000000000520C000-memory.dmp

Filesize
1.4MB

Download
memory/1228-55-0x000000006FF31000-0x000000006FF33000-memory.dmp

Filesize
8KB

Download
memory/1228-68-0x0000000005AB0000-0x0000000005BB5000-memory.dmp

Filesize
1.0MB

Download
memory/1228-61-0x000000006B641000-0x000000006B643000-memory.dmp

Filesize
8KB

Download
memory/1228-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1228-57-0x0000000070F1D000-0x0000000070F28000-memory.dmp

Filesize
44KB

Download
memory/1228-107-0x0000000005AB0000-0x0000000005BB5000-memory.dmp

Filesize
1.0MB

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1508-60-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1700-123-0x00000000004021DA-mapping.dmp

Download
memory/1700-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1704-102-0x0000000000000000-mapping.dmp

Download
memory/1988-103-0x0000000000000000-mapping.dmp

Download
memory/2036-70-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2036-65-0x0000000000000000-mapping.dmp

Download
memory/2036-79-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download
memory/2036-86-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download