Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
Resource
win10v2004-20221111-en
General
-
Target
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
-
Size
217KB
-
MD5
b4f5bfc0ab0cc3d6b7a6b9653784de56
-
SHA1
c5314c708dbcd5d2f76bdab8ea3848c2bc1777c9
-
SHA256
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e
-
SHA512
f94b3d6f024e64fa8761a4db9dbb5c8d308752d487fb3f859ae5d22ef950ebf200787c9d491462248fedcbbd031b6c8d1c3c3c0415b0f13b2777a237b4d314e4
-
SSDEEP
3072:D1dlKwgj23+Oz05YoNozPTQydKKQR4KQS+2YkX4NX1enJ0fVTdCqBzIwPwR/3HFX:D1dlZro5yPTQyoKjh2Yn91285dFz1mH9
Malware Config
Extracted
xtremerat
mjed10.no-ip.info
remoteback.no-ip.biz
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/memory/1876-81-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1824-84-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1876-86-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1824-87-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1876-88-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1824-89-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 1908 text.exe 1876 text.exe -
resource yara_rule behavioral1/memory/1876-75-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1876-80-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1876-81-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1876-86-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1824-87-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1876-88-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1824-89-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 1908 text.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1908 set thread context of 1876 1908 text.exe 32 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 940 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 940 WINWORD.EXE 940 WINWORD.EXE 1908 text.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1196 wrote to memory of 940 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 27 PID 1196 wrote to memory of 940 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 27 PID 1196 wrote to memory of 940 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 27 PID 1196 wrote to memory of 940 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 27 PID 940 wrote to memory of 528 940 WINWORD.EXE 28 PID 940 wrote to memory of 528 940 WINWORD.EXE 28 PID 940 wrote to memory of 528 940 WINWORD.EXE 28 PID 940 wrote to memory of 528 940 WINWORD.EXE 28 PID 1196 wrote to memory of 1908 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 31 PID 1196 wrote to memory of 1908 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 31 PID 1196 wrote to memory of 1908 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 31 PID 1196 wrote to memory of 1908 1196 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 31 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1908 wrote to memory of 1876 1908 text.exe 32 PID 1876 wrote to memory of 1824 1876 text.exe 33 PID 1876 wrote to memory of 1824 1876 text.exe 33 PID 1876 wrote to memory of 1824 1876 text.exe 33 PID 1876 wrote to memory of 1824 1876 text.exe 33 PID 1876 wrote to memory of 1824 1876 text.exe 33 PID 1876 wrote to memory of 1600 1876 text.exe 34 PID 1876 wrote to memory of 1600 1876 text.exe 34 PID 1876 wrote to memory of 1600 1876 text.exe 34 PID 1876 wrote to memory of 1600 1876 text.exe 34 PID 1876 wrote to memory of 1600 1876 text.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Hmas.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:528
-
-
-
C:\Users\Admin\AppData\Local\Temp\text.exe"C:\Users\Admin\AppData\Local\Temp\text.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\text.exe"C:\Users\Admin\AppData\Local\Temp\text.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1600
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD538b3a3a2f3679d1f12dc76208aeef7d2
SHA1eece72da5420c5ea8501a8273a0e1bd6fe59148b
SHA25605b12df7e9ee980fcad3ce4b0dd8335578a458be4328ea895d1cb9247ee2ac30
SHA512619870731a2a6bda44bf92bf035f1d8a5001fe7a6300b990a841dbedb1354487bba477c739dc7c82790ae81d0d0a6bb176f963df355b97ffebe5512c138ade72
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d
-
Filesize
133KB
MD597576fa7a236679dbe3abe1a4e852026
SHA1410f01060635c3aed10cc2eda9b1bd17a2771b66
SHA256dc8ebbec5bd6c01c2665f66e4df7fbafc0572608869c768d9e8653bd99974cda
SHA5127ee1389b41cbe7c241bd788f5b13b90b25af5319a30898dc085b9ba86a9fd517b54e377d3d00123e5b491212e4b378f25c8dd7af3557d3583cb5516c4dc9b91d