Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
15767b9e41ee631007be134b6ed1a65b9cf1805e15a730ffa18f62efb88ba7fa.doc
Resource
win7-20221111-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
15767b9e41ee631007be134b6ed1a65b9cf1805e15a730ffa18f62efb88ba7fa.doc
Resource
win10v2004-20221111-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
15767b9e41ee631007be134b6ed1a65b9cf1805e15a730ffa18f62efb88ba7fa.doc
-
Size
770KB
-
MD5
30ac5cdbdd174e3debe2967669080398
-
SHA1
e0fcadb812d01fe5791b9a17414ea1d35c9e4e15
-
SHA256
15767b9e41ee631007be134b6ed1a65b9cf1805e15a730ffa18f62efb88ba7fa
-
SHA512
8bed779eebff6b0f1218f7b1fe4c9e2cf0ac8546146a3fc8545cf53c4b5568f41877e77fcc7535a4e00a677233495b1d167f176e65146dd5cf10d4aaca8ac0ed
-
SSDEEP
12288:hdP4gs4g8zMQtBgaJm8tspGtgsKZd2fKZd2EIAB0FIzuJuXtiabre:8SVG8P6swEwFFzMudia+
Malware Config
Extracted
Family
pony
C2
http://www.krossfight.eu/trustmebaby/gate.php
Attributes
-
payload_url
http://optimization-methods.com/Bilder/calc.exe
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 992 hXXsKoxVZkewe.exe -
resource yara_rule behavioral1/memory/992-64-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/992-66-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/992-69-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/992-71-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 2028 WINWORD.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts hXXsKoxVZkewe.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hXXsKoxVZkewe.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52D5D103-21E5-4CD0-9621-D9E96374B9E2}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9861C6B8-B530-47E7-AAF5-9A1B682AE733}\1.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\TypeLib\{AD9B901D-8090-40C8-BB72-D308BED77A51} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52D5D103-21E5-4CD0-9621-D9E96374B9E2}\1.0\FLAGS WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C70-067D-11D0-95D8-00A02463AB28}\ = "IScriptModule" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\TypeLib WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52D5D103-21E5-4CD0-9621-D9E96374B9E2}\1.0\0\win32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{52D5D103-21E5-4CD0-9621-D9E96374B9E2}\1.0 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\ = "IScriptControl" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2028 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 992 hXXsKoxVZkewe.exe Token: SeTcbPrivilege 992 hXXsKoxVZkewe.exe Token: SeChangeNotifyPrivilege 992 hXXsKoxVZkewe.exe Token: SeCreateTokenPrivilege 992 hXXsKoxVZkewe.exe Token: SeBackupPrivilege 992 hXXsKoxVZkewe.exe Token: SeRestorePrivilege 992 hXXsKoxVZkewe.exe Token: SeIncreaseQuotaPrivilege 992 hXXsKoxVZkewe.exe Token: SeAssignPrimaryTokenPrivilege 992 hXXsKoxVZkewe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2028 WINWORD.EXE 2028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2028 wrote to memory of 992 2028 WINWORD.EXE 29 PID 2028 wrote to memory of 992 2028 WINWORD.EXE 29 PID 2028 wrote to memory of 992 2028 WINWORD.EXE 29 PID 2028 wrote to memory of 992 2028 WINWORD.EXE 29 PID 2028 wrote to memory of 1580 2028 WINWORD.EXE 31 PID 2028 wrote to memory of 1580 2028 WINWORD.EXE 31 PID 2028 wrote to memory of 1580 2028 WINWORD.EXE 31 PID 2028 wrote to memory of 1580 2028 WINWORD.EXE 31 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hXXsKoxVZkewe.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\15767b9e41ee631007be134b6ed1a65b9cf1805e15a730ffa18f62efb88ba7fa.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\hXXsKoxVZkewe.exehXXsKoxVZkewe.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:992
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1580
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD55e6e27519a3cb22829e9557c7b3f5611
SHA101138acc6341210a0224bd82200e16d2b43ce4a4
SHA256e0549bd59dbdcc52796bc45f91c29b622d24387112449e35f269947d7a55b696
SHA51286f52066aa648b85ff46c3d40c8e09b640c569470f9b2b05e5facb6905993d0957acae27522041ce32a12ebd2e73b99b8e039b8f7ba45a260d9d6acdd2857a52
-
Filesize
92KB
MD55e6e27519a3cb22829e9557c7b3f5611
SHA101138acc6341210a0224bd82200e16d2b43ce4a4
SHA256e0549bd59dbdcc52796bc45f91c29b622d24387112449e35f269947d7a55b696
SHA51286f52066aa648b85ff46c3d40c8e09b640c569470f9b2b05e5facb6905993d0957acae27522041ce32a12ebd2e73b99b8e039b8f7ba45a260d9d6acdd2857a52
-
Filesize
92KB
MD55e6e27519a3cb22829e9557c7b3f5611
SHA101138acc6341210a0224bd82200e16d2b43ce4a4
SHA256e0549bd59dbdcc52796bc45f91c29b622d24387112449e35f269947d7a55b696
SHA51286f52066aa648b85ff46c3d40c8e09b640c569470f9b2b05e5facb6905993d0957acae27522041ce32a12ebd2e73b99b8e039b8f7ba45a260d9d6acdd2857a52