7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Executes dropped EXE 12 IoCs

pid	Process
3540	SVCHOST.EXE
4372	SVCHOST.EXE
4296	SPOOLSV.EXE
5052	SPOOLSV.EXE
3472	CTFMON.EXE
1640	SVCHOST.EXE
3092	CTFMON.EXE
1604	SPOOLSV.EXE
212	CTFMON.EXE
2712	SVCHOST.EXE
1280	SPOOLSV.EXE
5064	CTFMON.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Y:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\P:	CTFMON.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\N:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\P:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\G:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\H:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\O:	CTFMON.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\Z:	CTFMON.EXE
File opened (read-only)	\??\L:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\O:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\S:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\T:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\Z:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\I:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\W:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\F:	CTFMON.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\K:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\U:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\X:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\E:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\F:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\J:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\V:	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
File opened (read-only)	\??\H:	SVCHOST.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\QuickTip = "prop:Type;Size"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\TileInfo = "prop:Type;Size"	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3360	WINWORD.EXE
3360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
3540	SVCHOST.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3472	CTFMON.EXE
3472	CTFMON.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3472	CTFMON.EXE
3472	CTFMON.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3472	CTFMON.EXE
3472	CTFMON.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3472	CTFMON.EXE
3472	CTFMON.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3472	CTFMON.EXE
3472	CTFMON.EXE
3472	CTFMON.EXE
3472	CTFMON.EXE
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
4296	SPOOLSV.EXE
4296	SPOOLSV.EXE
4296	SPOOLSV.EXE
4296	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
3540	SVCHOST.EXE
4372	SVCHOST.EXE
4296	SPOOLSV.EXE
5052	SPOOLSV.EXE
3472	CTFMON.EXE
1640	SVCHOST.EXE
3092	CTFMON.EXE
1604	SPOOLSV.EXE
212	CTFMON.EXE
2712	SVCHOST.EXE
1280	SPOOLSV.EXE
5064	CTFMON.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE
3360	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3540	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	79
PID 1108 wrote to memory of 3540	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	79
PID 1108 wrote to memory of 3540	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	79
PID 3540 wrote to memory of 4372	3540	SVCHOST.EXE	80
PID 3540 wrote to memory of 4372	3540	SVCHOST.EXE	80
PID 3540 wrote to memory of 4372	3540	SVCHOST.EXE	80
PID 1108 wrote to memory of 4296	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	81
PID 1108 wrote to memory of 4296	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	81
PID 1108 wrote to memory of 4296	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	81
PID 3540 wrote to memory of 5052	3540	SVCHOST.EXE	82
PID 3540 wrote to memory of 5052	3540	SVCHOST.EXE	82
PID 3540 wrote to memory of 5052	3540	SVCHOST.EXE	82
PID 3540 wrote to memory of 3472	3540	SVCHOST.EXE	83
PID 3540 wrote to memory of 3472	3540	SVCHOST.EXE	83
PID 3540 wrote to memory of 3472	3540	SVCHOST.EXE	83
PID 4296 wrote to memory of 1640	4296	SPOOLSV.EXE	84
PID 4296 wrote to memory of 1640	4296	SPOOLSV.EXE	84
PID 4296 wrote to memory of 1640	4296	SPOOLSV.EXE	84
PID 1108 wrote to memory of 3092	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	85
PID 1108 wrote to memory of 3092	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	85
PID 1108 wrote to memory of 3092	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	85
PID 4296 wrote to memory of 1604	4296	SPOOLSV.EXE	86
PID 4296 wrote to memory of 1604	4296	SPOOLSV.EXE	86
PID 4296 wrote to memory of 1604	4296	SPOOLSV.EXE	86
PID 3540 wrote to memory of 2704	3540	SVCHOST.EXE	87
PID 3540 wrote to memory of 2704	3540	SVCHOST.EXE	87
PID 3540 wrote to memory of 2704	3540	SVCHOST.EXE	87
PID 4296 wrote to memory of 212	4296	SPOOLSV.EXE	88
PID 4296 wrote to memory of 212	4296	SPOOLSV.EXE	88
PID 4296 wrote to memory of 212	4296	SPOOLSV.EXE	88
PID 2704 wrote to memory of 1472	2704	userinit.exe	89
PID 2704 wrote to memory of 1472	2704	userinit.exe	89
PID 2704 wrote to memory of 1472	2704	userinit.exe	89
PID 3472 wrote to memory of 2712	3472	CTFMON.EXE	90
PID 3472 wrote to memory of 2712	3472	CTFMON.EXE	90
PID 3472 wrote to memory of 2712	3472	CTFMON.EXE	90
PID 3472 wrote to memory of 1280	3472	CTFMON.EXE	91
PID 3472 wrote to memory of 1280	3472	CTFMON.EXE	91
PID 3472 wrote to memory of 1280	3472	CTFMON.EXE	91
PID 3472 wrote to memory of 5064	3472	CTFMON.EXE	92
PID 3472 wrote to memory of 5064	3472	CTFMON.EXE	92
PID 3472 wrote to memory of 5064	3472	CTFMON.EXE	92
PID 1108 wrote to memory of 3360	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	94
PID 1108 wrote to memory of 3360	1108	7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe	94

C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe
"C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4372
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5052
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2712
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1280
  - - C:\recycled\CTFMON.EXE
      C:\recycled\CTFMON.EXE :agent
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5064
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      PID:1472
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\recycled\CTFMON.EXE
    C:\recycled\CTFMON.EXE :agent
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:212
- C:\recycled\CTFMON.EXE
  C:\recycled\CTFMON.EXE :agent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3092
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f30de557dac87df619d85b2af49f45b39f16e9ae494a123330b6328c9a45d95.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery