45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f

Analysis

max time kernel
107s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc
Size

191KB
MD5

cf75c33403bad87a59b0161576779ba2
SHA1

e4131593e9be8b994b49241cd2700479ddbfdab1
SHA256

45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f
SHA512

79f9a2753e3076cd5febbdfb438c6f98c718c10190a7663c4140d9ddc635db10c4ea0981867b67f0188064a3d18b4bfcb46c1b6ac859eebc501ec1cdfe53a3a8
SSDEEP

3072:yI6bftBVxtWBhOSBw3GMPfY98JfZmKP7uasFMakqYTfcIh+2oALNZCiZm8:yI6bftnxtZSBC498JzP7XsqakRTfc6+e

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.2fs.com.au/tmp/rkn.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1520	1272	cmd.exe	WINWORD.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1380 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1272 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1764 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1764 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1272 WINWORD.EXE
1272 WINWORD.EXE

pid	process
1380	PING.EXE

pid	process
1272	WINWORD.EXE

pid	process
1764	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe

pid	process
1272	WINWORD.EXE
1272	WINWORD.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1272 wrote to memory of 1520	1272	WINWORD.EXE	cmd.exe
PID 1520 wrote to memory of 1380	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1380	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1380	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1380	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1788	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1788	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1788	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1788	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1776	1520	cmd.exe	cscript.exe
PID 1520 wrote to memory of 1776	1520	cmd.exe	cscript.exe
PID 1520 wrote to memory of 1776	1520	cmd.exe	cscript.exe
PID 1520 wrote to memory of 1776	1520	cmd.exe	cscript.exe
PID 1776 wrote to memory of 1764	1776	cscript.exe	powershell.exe
PID 1776 wrote to memory of 1764	1776	cscript.exe	powershell.exe
PID 1776 wrote to memory of 1764	1776	cscript.exe	powershell.exe
PID 1776 wrote to memory of 1764	1776	cscript.exe	powershell.exe
PID 1272 wrote to memory of 1932	1272	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 1932	1272	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 1932	1272	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 1932	1272	WINWORD.EXE	splwow64.exe
PID 1764 wrote to memory of 652	1764	powershell.exe	cmd.exe
PID 1764 wrote to memory of 652	1764	powershell.exe	cmd.exe
PID 1764 wrote to memory of 652	1764	powershell.exe	cmd.exe
PID 1764 wrote to memory of 652	1764	powershell.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:1380

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
c3fdf3ccaeaa6bb33165dfe18dae43e6

SHA1
deaf2ed146ab346cd406eccc928a14552dd15e19

SHA256
8606130c7a68799d185a40da2c404b2fb6dbeba6ebc7bca7751e259cec83e148

SHA512
102913925ca5d8d746b1f8f7cbd0a65294a2a023b7d6609aee3a962e74ae21fb1b373b70655851a27d4f2921b9559dce43f50d4a117f517f167c2ea09d4a5e9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
116B

MD5
4922a773060a96738c0309ff2266e9b0

SHA1
4b2effb130c3c0af0c0d17566ea40ddcba59a50e

SHA256
9d005399621525cef2397ca6ebaae4dd373781bec66d362712df8431cbdd1a03

SHA512
ce612df4b8516dbfd0f332b3419cc858d2ebc2211d56f75c917d4af551fa20b3936558b4e0036e57844c8865f8ed9b75c7fdf2d49c0cd2e9acf655516d9ddd04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
398B

MD5
f274f67c467b49b9d278ca3b4196b5d0

SHA1
8b80213e280bf2b40057a3b5269a540c387fd036

SHA256
79253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1

SHA512
12daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b

Download Submit
memory/652-125-0x0000000000000000-mapping.dmp

Download
memory/1272-85-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-66-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-58-0x0000000070BFD000-0x0000000070C08000-memory.dmp

Filesize
44KB

Download
memory/1272-59-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-60-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-61-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-62-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-92-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-64-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-65-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-68-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-69-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-67-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-91-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-70-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-71-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-75-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-90-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-73-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-72-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-78-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-79-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-77-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-76-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-80-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-81-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-82-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-83-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-84-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-86-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1272-93-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-63-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-57-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1272-74-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-89-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-87-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-88-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-95-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-101-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-100-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-99-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-98-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-97-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-96-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-104-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-105-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-106-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-107-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-108-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-109-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-110-0x0000000000686000-0x000000000068A000-memory.dmp

Filesize
16KB

Download
memory/1272-111-0x0000000070BFD000-0x0000000070C08000-memory.dmp

Filesize
44KB

Download
memory/1272-127-0x0000000070BFD000-0x0000000070C08000-memory.dmp

Filesize
44KB

Download
memory/1272-126-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1272-54-0x0000000072191000-0x0000000072194000-memory.dmp

Filesize
12KB

Download
memory/1272-55-0x000000006FC11000-0x000000006FC13000-memory.dmp

Filesize
8KB

Download
memory/1380-103-0x0000000000000000-mapping.dmp

Download
memory/1520-94-0x0000000000000000-mapping.dmp

Download
memory/1764-120-0x0000000004B80000-0x00000000050B6000-memory.dmp

Filesize
5.2MB

Download
memory/1764-118-0x0000000069FF0000-0x000000006A59B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-124-0x0000000069FF0000-0x000000006A59B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-116-0x0000000000000000-mapping.dmp

Download
memory/1776-113-0x0000000000000000-mapping.dmp

Download
memory/1788-112-0x0000000000000000-mapping.dmp

Download
memory/1932-122-0x0000000000000000-mapping.dmp

Download
memory/1932-123-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download