darkcomet | 27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f

Analysis

max time kernel
177s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc
Size

4.0MB
MD5

3b25dfdf3f89b0a1e161d442d1fd2227
SHA1

964cae96ec5364a84b13edaa305e4e3fb35fa208
SHA256

27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f
SHA512

cb0dcc230066c146926ffc158d47f48c33ba67970963ce72afcef3bb63166996e969f7d0318f6fb604fff54962cc8e934f55079bccec0f2a8f22e4e14ffef2d4
SSDEEP

24576:pVfxRoAIj5FBCQELbeNJDIe5uocMALTipn5yZ0h1j8KmGN2zbRtG23zxQ0atoYBq:9p

Score

10^/10

darkcomet doc rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

doc

67.242.194.118:1604

Mutex

DC_MUTEX-W3TT9NP

Attributes

gencode
QMYYWMGSMDbi
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

dnyoxbau.exeXVeObc.exe

pid process

324 dnyoxbau.exe
1096 XVeObc.exe
Loads dropped DLL 2 IoCs

Processes:

WINWORD.EXEdnyoxbau.exe

pid process

940 WINWORD.EXE
324 dnyoxbau.exe

pid	process
324	dnyoxbau.exe
1096	XVeObc.exe

pid	process
940	WINWORD.EXE
324	dnyoxbau.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

XVeObc.exesvchost.exe

description	pid	process	target process
PID 1096 set thread context of 1708	1096	XVeObc.exe	svchost.exe
PID 1708 set thread context of 2000	1708	svchost.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

940 WINWORD.EXE

pid	process
940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

XVeObc.exesvchost.exe

pid	process
1096	XVeObc.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe
1708	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2000	svchost.exe
Token: SeSecurityPrivilege	2000	svchost.exe
Token: SeTakeOwnershipPrivilege	2000	svchost.exe
Token: SeLoadDriverPrivilege	2000	svchost.exe
Token: SeSystemProfilePrivilege	2000	svchost.exe
Token: SeSystemtimePrivilege	2000	svchost.exe
Token: SeProfSingleProcessPrivilege	2000	svchost.exe
Token: SeIncBasePriorityPrivilege	2000	svchost.exe
Token: SeCreatePagefilePrivilege	2000	svchost.exe
Token: SeBackupPrivilege	2000	svchost.exe
Token: SeRestorePrivilege	2000	svchost.exe
Token: SeShutdownPrivilege	2000	svchost.exe
Token: SeDebugPrivilege	2000	svchost.exe
Token: SeSystemEnvironmentPrivilege	2000	svchost.exe
Token: SeChangeNotifyPrivilege	2000	svchost.exe
Token: SeRemoteShutdownPrivilege	2000	svchost.exe
Token: SeUndockPrivilege	2000	svchost.exe
Token: SeManageVolumePrivilege	2000	svchost.exe
Token: SeImpersonatePrivilege	2000	svchost.exe
Token: SeCreateGlobalPrivilege	2000	svchost.exe
Token: 33	2000	svchost.exe
Token: 34	2000	svchost.exe
Token: 35	2000	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEsvchost.exesvchost.exe

pid process

940 WINWORD.EXE
940 WINWORD.EXE
1708 svchost.exe
2000 svchost.exe

pid	process
940	WINWORD.EXE
940	WINWORD.EXE
1708	svchost.exe
2000	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

WINWORD.EXEdnyoxbau.exeXVeObc.exesvchost.exe

description	pid	process	target process
PID 940 wrote to memory of 324	940	WINWORD.EXE	dnyoxbau.exe
PID 940 wrote to memory of 324	940	WINWORD.EXE	dnyoxbau.exe
PID 940 wrote to memory of 324	940	WINWORD.EXE	dnyoxbau.exe
PID 940 wrote to memory of 324	940	WINWORD.EXE	dnyoxbau.exe
PID 324 wrote to memory of 1096	324	dnyoxbau.exe	XVeObc.exe
PID 324 wrote to memory of 1096	324	dnyoxbau.exe	XVeObc.exe
PID 324 wrote to memory of 1096	324	dnyoxbau.exe	XVeObc.exe
PID 324 wrote to memory of 1096	324	dnyoxbau.exe	XVeObc.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1096 wrote to memory of 1708	1096	XVeObc.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 1708 wrote to memory of 2000	1708	svchost.exe	svchost.exe
PID 940 wrote to memory of 1796	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1796	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1796	940	WINWORD.EXE	splwow64.exe
PID 940 wrote to memory of 1796	940	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\dnyoxbau.exe
dnyoxbau.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe" "kcwtNy"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MrHFkS.exe
Filesize
102KB

MD5
0df564f1184ac289b353baed6e2a0c46

SHA1
d492f51df890f436f5e0e994b0f19e14e3001f88

SHA256
330df2f54fb09d6d1344668ef458c45af620c2254fbc45e75b68444f963dc5bb

SHA512
30f55f79bd6e7b6f7715f20856614778d3e97a59f8c642c4659690b3f99d3153bbd98bf4e5b96704c6f1698b135d63e8280260bcf6e9cdc040fc0fe7279b0fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\YKPZyv.txt
Filesize
3.3MB

MD5
efa2349c70a2c2c7a187bd2dc56badd6

SHA1
47b39c026aba067f081659fff5b9c79228868c0c

SHA256
fa343af9019e2f80fc56c1eee777b329322ebb1dc8351895769167313b370127

SHA512
3f51edca1aa4de85d45e1e1f39e1515d95f83b82bf5a50cd9e951221f4719da7f54cb7d7f116b72afee58a1c6dee4f99894beab20294b425b5db7acced280b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kcwtNy
Filesize
6KB

MD5
374b7508bc86f61e1fbffb4bda3543ac

SHA1
95bbd530b272f276d9553d90472234565a0172e7

SHA256
f578c2c0db2e328c94892faace17565e6b1396337c47215b8e6a27ab7d95a77e

SHA512
9b4d9647a0ac7c2853fb4d31d7fede4064068445ac20c2f95d5203eda615178833459b59691fd77709fb4786ba9b0ef7ffcd89713d641143dfd15ce9b3d3c692

Download Submit
C:\Users\Admin\dnyoxbau.exe
Filesize
1001KB

MD5
fdfe234a413d0d7ceaa619162ee41b55

SHA1
d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de

SHA256
b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d

SHA512
9b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65

Download Submit
C:\Users\Admin\dnyoxbau.exe
Filesize
1001KB

MD5
fdfe234a413d0d7ceaa619162ee41b55

SHA1
d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de

SHA256
b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d

SHA512
9b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
\Users\Admin\dnyoxbau.exe
Filesize
1001KB

MD5
fdfe234a413d0d7ceaa619162ee41b55

SHA1
d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de

SHA256
b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d

SHA512
9b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65

Download Submit
memory/324-86-0x0000000000000000-mapping.dmp

Download
memory/940-74-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-60-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-54-0x0000000072B81000-0x0000000072B84000-memory.dmp

Filesize
12KB

Download
memory/940-79-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/940-80-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-64-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-62-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-63-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-61-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-69-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-134-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-59-0x00000000004B3000-0x00000000004B7000-memory.dmp

Filesize
16KB

Download
memory/940-58-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/940-57-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-55-0x0000000070601000-0x0000000070603000-memory.dmp

Filesize
8KB

Download
memory/940-135-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/1096-91-0x0000000000000000-mapping.dmp

Download
memory/1708-110-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-104-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-105-0x0000000000401BA8-mapping.dmp

Download
memory/1708-101-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-98-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-99-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1708-129-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1796-133-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download
memory/1796-132-0x0000000000000000-mapping.dmp

Download
memory/2000-123-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-130-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-120-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-125-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-126-0x000000000048F888-mapping.dmp

Download
memory/2000-127-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-118-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-121-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-131-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-116-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-114-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-112-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-111-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download