remcos | ae22d6cc4669f4e7f6d38b4a28eb17be794afa04c5588186b968a6f88b5a3a02

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PC-1873736.rtf
Size

31KB
MD5

03210d6a52789ad39ccbb7f12e837e4d
SHA1

358641ec11229d4ce26d30edc42745d81543882e
SHA256

ae22d6cc4669f4e7f6d38b4a28eb17be794afa04c5588186b968a6f88b5a3a02
SHA512

28de20ec701f7221c46f79c7b4a7aab07c828fd65d1040c9b25a2581d4931111491559facb66d4979d99ca2b4538dd1ee88e131d168905313379444748d12312
SSDEEP

768:nFx0XaIsnPRIa4fwJM532DgDjAA7kZM2MACsd00MpCMjAu9g:nf0Xvx3EM5GDMjAez2MK6CMjT9g

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

favgrandson7.sytes.net:1993

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HFW64Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1584	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1928	plugmncru65.exe
1064	oaipgeihe.exe
2040	oaipgeihe.exe

Loads dropped DLL 4 IoCs

pid	Process
1584	EQNEDT32.EXE
1928	plugmncru65.exe
1928	plugmncru65.exe
1064	oaipgeihe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 2040	1064	oaipgeihe.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1584	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1080	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1064	oaipgeihe.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE
2040	oaipgeihe.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1928	1584	EQNEDT32.EXE	31
PID 1584 wrote to memory of 1928	1584	EQNEDT32.EXE	31
PID 1584 wrote to memory of 1928	1584	EQNEDT32.EXE	31
PID 1584 wrote to memory of 1928	1584	EQNEDT32.EXE	31
PID 1928 wrote to memory of 1064	1928	plugmncru65.exe	32
PID 1928 wrote to memory of 1064	1928	plugmncru65.exe	32
PID 1928 wrote to memory of 1064	1928	plugmncru65.exe	32
PID 1928 wrote to memory of 1064	1928	plugmncru65.exe	32
PID 1064 wrote to memory of 2040	1064	oaipgeihe.exe	35
PID 1064 wrote to memory of 2040	1064	oaipgeihe.exe	35
PID 1064 wrote to memory of 2040	1064	oaipgeihe.exe	35
PID 1064 wrote to memory of 2040	1064	oaipgeihe.exe	35
PID 1064 wrote to memory of 2040	1064	oaipgeihe.exe	35
PID 1080 wrote to memory of 608	1080	WINWORD.EXE	37
PID 1080 wrote to memory of 608	1080	WINWORD.EXE	37
PID 1080 wrote to memory of 608	1080	WINWORD.EXE	37
PID 1080 wrote to memory of 608	1080	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PC-1873736.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:608

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Roaming\plugmncru65.exe
  "C:\Users\Admin\AppData\Roaming\plugmncru65.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe
    "C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe" C:\Users\Admin\AppData\Local\Temp\izexbgkxgg.sxl
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe
      "C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcdzspw.bz

Filesize
491KB

MD5
5c0c79b8035df3dbe438ba61f65c935e

SHA1
6b9f5ca4b392ac4d19a5acd0e25489b2be5a6a74

SHA256
ffbded11cc7890ca112c6580bf0b54a8dace2db9878f4f6ec99ed1d322a67d8a

SHA512
618625e27728408a4975a9293f20f842e90dffff658acd6c1e4780092c3cea2253b5fe9efbac156dcc7741de0fc512a431b051a6fb95439c788e20390445753d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izexbgkxgg.sxl

Filesize
5KB

MD5
425432a41c7ba3453c1aafe8e703c548

SHA1
4cb0a75d80680302afc5d3c2808d8d1c5d1bd017

SHA256
8e3878f57c3cc0c0036c985e6095c7fe12ee75fb4aa26aae4fc1fa5aaa23ce11

SHA512
52f2aed62ffa47aaac2bdb579e7c356f56c73405eefbc62475a1ed0bebb018e302c6e38229d0fd1946a6b1079175406b0c29aad7e064e42c3b741d31883855a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
C:\Users\Admin\AppData\Roaming\plugmncru65.exe

Filesize
670KB

MD5
15d5e74616081c059d0107dbbbf5982c

SHA1
ec404a317e96007cdd3367c514ebf6a06304cc8e

SHA256
d47915645f8fa712a296ae6435bac9f09508e26a0fae53956d15f628dab2b027

SHA512
490e2d18079104a3d5708c620a9e884efc53da977fd8e6d98658e2e91e81c843705a71c5ffe31144d5102ddccedb1330959a24143337356b8e238d9dd581b6b8

Download Submit
C:\Users\Admin\AppData\Roaming\plugmncru65.exe

Filesize
670KB

MD5
15d5e74616081c059d0107dbbbf5982c

SHA1
ec404a317e96007cdd3367c514ebf6a06304cc8e

SHA256
d47915645f8fa712a296ae6435bac9f09508e26a0fae53956d15f628dab2b027

SHA512
490e2d18079104a3d5708c620a9e884efc53da977fd8e6d98658e2e91e81c843705a71c5ffe31144d5102ddccedb1330959a24143337356b8e238d9dd581b6b8

Download Submit
\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
\Users\Admin\AppData\Local\Temp\oaipgeihe.exe

Filesize
84KB

MD5
63c8bcf600622e14c7f79032c20b604b

SHA1
c5f189b785b1c4e8fd3602b8b223b8ae1fd6047b

SHA256
37b82ceb5601cfe987e7490f205c72266640da0abf6ed4ebcafa92c1a8b4019e

SHA512
d24df5ded2f8a0eb05603dfcf2f4cb202353fec01e01639bf3911784a174f5d59c43af6027e2ba25cf337324e119e00421d75130f1301dd3c253b04d62f25f2c

Download Submit
\Users\Admin\AppData\Roaming\plugmncru65.exe

Filesize
670KB

MD5
15d5e74616081c059d0107dbbbf5982c

SHA1
ec404a317e96007cdd3367c514ebf6a06304cc8e

SHA256
d47915645f8fa712a296ae6435bac9f09508e26a0fae53956d15f628dab2b027

SHA512
490e2d18079104a3d5708c620a9e884efc53da977fd8e6d98658e2e91e81c843705a71c5ffe31144d5102ddccedb1330959a24143337356b8e238d9dd581b6b8

Download Submit
memory/608-80-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1080-54-0x00000000729B1000-0x00000000729B4000-memory.dmp

Filesize
12KB

Download
memory/1080-58-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/1080-57-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1080-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-55-0x0000000070431000-0x0000000070433000-memory.dmp

Filesize
8KB

Download
memory/1080-82-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/1080-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-77-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/2040-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2040-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download