bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	CTFMON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

Processes:

CTFMON.EXESPOOLSV.EXESVCHOST.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

Modify Registry

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeCTFMON.EXESPOOLSV.EXESVCHOST.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CTFMON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

ASPack v2.12-2.42 21 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Windows\Fonts\ Explorer.exe	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242
C:\Recycled\SVCHOST.EXE	aspack_v212_v242
C:\Recycled\SPOOLSV.EXE	aspack_v212_v242
C:\Recycled\CTFMON.EXE	aspack_v212_v242

Executes dropped EXE 15 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXE

pid	process
2688	SVCHOST.EXE
4104	SVCHOST.EXE
2176	SPOOLSV.EXE
4676	SVCHOST.EXE
1040	SPOOLSV.EXE
3776	CTFMON.EXE
3520	SVCHOST.EXE
4940	SPOOLSV.EXE
5008	CTFMON.EXE
4768	CTFMON.EXE
864	SPOOLSV.EXE
4064	CTFMON.EXE
4724	SVCHOST.EXE
4748	SPOOLSV.EXE
1636	CTFMON.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description ioc process

File opened for modification C:\Recycled\desktop.ini bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\G:	CTFMON.EXE
File opened (read-only)	\??\W:	CTFMON.EXE
File opened (read-only)	\??\J:	CTFMON.EXE
File opened (read-only)	\??\N:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\S:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\E:	CTFMON.EXE
File opened (read-only)	\??\K:	CTFMON.EXE
File opened (read-only)	\??\I:	CTFMON.EXE
File opened (read-only)	\??\N:	CTFMON.EXE
File opened (read-only)	\??\H:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\L:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\M:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\F:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	CTFMON.EXE
File opened (read-only)	\??\P:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Z:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\X:	CTFMON.EXE
File opened (read-only)	\??\P:	CTFMON.EXE
File opened (read-only)	\??\J:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\V:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\W:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\M:	CTFMON.EXE
File opened (read-only)	\??\Q:	CTFMON.EXE
File opened (read-only)	\??\V:	CTFMON.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\E:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\O:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Y:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\L:	CTFMON.EXE
File opened (read-only)	\??\F:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\G:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\Q:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\X:	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\H:	CTFMON.EXE
File opened (read-only)	\??\S:	CTFMON.EXE
File opened (read-only)	\??\U:	CTFMON.EXE
File opened (read-only)	\??\F:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\F:	CTFMON.EXE

Drops file in Program Files directory 1 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Drops file in Windows directory 4 IoCs

Processes:

SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	CTFMON.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 29 IoCs

Processes:

SVCHOST.EXESPOOLSV.EXECTFMON.EXEbac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\InfoTip = "prop:Type;Write;Size"	CTFMON.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	CTFMON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2864 WINWORD.EXE
2864 WINWORD.EXE

pid	process
2864	WINWORD.EXE
2864	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSPOOLSV.EXESVCHOST.EXECTFMON.EXE

pid	process
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
3776	CTFMON.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2176	SPOOLSV.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXE

pid	process
1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
2688	SVCHOST.EXE
4104	SVCHOST.EXE
2176	SPOOLSV.EXE
4676	SVCHOST.EXE
1040	SPOOLSV.EXE
3776	CTFMON.EXE
3520	SVCHOST.EXE
4940	SPOOLSV.EXE
5008	CTFMON.EXE
4768	CTFMON.EXE
864	SPOOLSV.EXE
4064	CTFMON.EXE
4724	SVCHOST.EXE
4748	SPOOLSV.EXE
1636	CTFMON.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXE

description	pid	process	target process
PID 1312 wrote to memory of 2688	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1312 wrote to memory of 2688	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1312 wrote to memory of 2688	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 2688 wrote to memory of 4104	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 4104	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 4104	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2176	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 2176	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 2176	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2176 wrote to memory of 4676	2176	SPOOLSV.EXE	SVCHOST.EXE
PID 2176 wrote to memory of 4676	2176	SPOOLSV.EXE	SVCHOST.EXE
PID 2176 wrote to memory of 4676	2176	SPOOLSV.EXE	SVCHOST.EXE
PID 2176 wrote to memory of 1040	2176	SPOOLSV.EXE	SPOOLSV.EXE
PID 2176 wrote to memory of 1040	2176	SPOOLSV.EXE	SPOOLSV.EXE
PID 2176 wrote to memory of 1040	2176	SPOOLSV.EXE	SPOOLSV.EXE
PID 2176 wrote to memory of 3776	2176	SPOOLSV.EXE	CTFMON.EXE
PID 2176 wrote to memory of 3776	2176	SPOOLSV.EXE	CTFMON.EXE
PID 2176 wrote to memory of 3776	2176	SPOOLSV.EXE	CTFMON.EXE
PID 3776 wrote to memory of 3520	3776	CTFMON.EXE	SVCHOST.EXE
PID 3776 wrote to memory of 3520	3776	CTFMON.EXE	SVCHOST.EXE
PID 3776 wrote to memory of 3520	3776	CTFMON.EXE	SVCHOST.EXE
PID 3776 wrote to memory of 4940	3776	CTFMON.EXE	SPOOLSV.EXE
PID 3776 wrote to memory of 4940	3776	CTFMON.EXE	SPOOLSV.EXE
PID 3776 wrote to memory of 4940	3776	CTFMON.EXE	SPOOLSV.EXE
PID 3776 wrote to memory of 5008	3776	CTFMON.EXE	CTFMON.EXE
PID 3776 wrote to memory of 5008	3776	CTFMON.EXE	CTFMON.EXE
PID 3776 wrote to memory of 5008	3776	CTFMON.EXE	CTFMON.EXE
PID 2688 wrote to memory of 4768	2688	SVCHOST.EXE	CTFMON.EXE
PID 2688 wrote to memory of 4768	2688	SVCHOST.EXE	CTFMON.EXE
PID 2688 wrote to memory of 4768	2688	SVCHOST.EXE	CTFMON.EXE
PID 1312 wrote to memory of 864	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 864	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 864	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 4064	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 4064	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 4064	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 4724	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1312 wrote to memory of 4724	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1312 wrote to memory of 4724	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SVCHOST.EXE
PID 1312 wrote to memory of 4748	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 4748	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 4748	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	SPOOLSV.EXE
PID 1312 wrote to memory of 1636	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 1636	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 1636	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	CTFMON.EXE
PID 1312 wrote to memory of 2864	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE
PID 1312 wrote to memory of 2864	1312	bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe
"C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4104

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4676

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1040

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3520

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4940

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5008

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4768

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4064

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4724

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4748

C:\recycled\CTFMON.EXE
C:\recycled\CTFMON.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bac325eb84d39b4f17dd53c7f9c3a1187fdd33ea169920640bb0284c5fb3c5bc.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery