84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db

Analysis

max time kernel
125s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm
Size

36KB
MD5

4d41aa8d48ebe4058400414209661ce1
SHA1

d4bb81ee3cd28bf2d7f2bebeb3abcfb010a40a40
SHA256

84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db
SHA512

207cb9feb0bf381df043f896983a1cceb50d51276c0883e7586a26932bd4a137efbc00776e08dff3ed97a403ae160595ca9eb65bba09b694b6c33570be123da2
SSDEEP

768:c6v3MYE5yrGJKqKcDZb+vgSGf4fKnUXXr6ffGxuH5l6:c6v8i0KDOjnm6ffGU5l6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://91.220.131.114/upd/install.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1420	900	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1712 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
4	1712	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\TypeLib\{5A6B3B68-B7B8-4428-9244-E725E0F0CA69}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\TypeLib\{5A6B3B68-B7B8-4428-9244-E725E0F0CA69}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5A6B3B68-B7B8-4428-9244-E725E0F0CA69}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\TypeLib\{5A6B3B68-B7B8-4428-9244-E725E0F0CA69}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1828 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1712 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1712 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
900 WINWORD.EXE

pid	process
1828	PING.EXE

pid	process
900	WINWORD.EXE

pid	process
1712	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe

pid	process
900	WINWORD.EXE
900	WINWORD.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 900 wrote to memory of 1088	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1088	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1088	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1088	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 900 wrote to memory of 1420	900	WINWORD.EXE	cmd.exe
PID 1420 wrote to memory of 1828	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1828	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1828	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1828	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1836	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 1836	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 1836	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 1836	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 1164	1420	cmd.exe	cscript.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	cscript.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	cscript.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	cscript.exe
PID 1164 wrote to memory of 1712	1164	cscript.exe	powershell.exe
PID 1164 wrote to memory of 1712	1164	cscript.exe	powershell.exe
PID 1164 wrote to memory of 1712	1164	cscript.exe	powershell.exe
PID 1164 wrote to memory of 1712	1164	cscript.exe	powershell.exe
PID 1712 wrote to memory of 2020	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 2020	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 2020	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 2020	1712	powershell.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:1828

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
a5606d4e993f72fa68e41f0b3c4bdc3a

SHA1
3c8520de628b33b98a7d56f0d69246914ea52bb5

SHA256
39016def2e66910a436ce081f9cc40c1b08192052b4a93a435d6b9f998a9c03a

SHA512
c40f4c58c144afcce457124b262408e6956b16d285664f62966639a3f979a2ab67d73691f819f68841d3ff4390fd71e7e13e064fd844d58229b7a9815ae2242f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
133B

MD5
5fb5e5941e8075702155a334a4d2d550

SHA1
8f509452a0eb033db1627fea9bf0e3f67c2c1c45

SHA256
f6d1ed9aaf131c3d6489e59acd62abd00bb53bb9c1a65ff4d441d8246e512f8f

SHA512
3e292405a4d666653eb594efffbb8011752229f814e889ed1bf7062f7e21ddee8a82538171f5ee8b8aeb58f5d3e9ed02f29f4612f66e5c84117de70b67c26390

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
398B

MD5
f274f67c467b49b9d278ca3b4196b5d0

SHA1
8b80213e280bf2b40057a3b5269a540c387fd036

SHA256
79253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1

SHA512
12daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b

Download Submit
memory/900-87-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-81-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-64-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-63-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-62-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-61-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-60-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-59-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-65-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-67-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-66-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-69-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-68-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-90-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-70-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-72-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-73-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-75-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-74-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-76-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-77-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-79-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-78-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-80-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-91-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-82-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-84-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-83-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-85-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-86-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-88-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-54-0x0000000072661000-0x0000000072664000-memory.dmp

Filesize
12KB

Download
memory/900-125-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/900-71-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-58-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/900-92-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-93-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/900-55-0x00000000700E1000-0x00000000700E3000-memory.dmp

Filesize
8KB

Download
memory/900-96-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/900-89-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-98-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-99-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-104-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-103-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-102-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-101-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-100-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-57-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/900-108-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-109-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-110-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-111-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-107-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-112-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/900-113-0x00000000004AE000-0x00000000004B2000-memory.dmp

Filesize
16KB

Download
memory/1088-95-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1088-94-0x0000000000000000-mapping.dmp

Download
memory/1164-115-0x0000000000000000-mapping.dmp

Download
memory/1420-97-0x0000000000000000-mapping.dmp

Download
memory/1712-118-0x0000000000000000-mapping.dmp

Download
memory/1712-120-0x0000000004B80000-0x00000000050B6000-memory.dmp

Filesize
5.2MB

Download
memory/1712-121-0x000000006A030000-0x000000006A5DB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-123-0x000000006A030000-0x000000006A5DB000-memory.dmp

Filesize
5.7MB

Download
memory/1828-106-0x0000000000000000-mapping.dmp

Download
memory/1836-114-0x0000000000000000-mapping.dmp

Download
memory/2020-126-0x0000000000000000-mapping.dmp

Download