Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-01-2023 09:51
Static task
static1
Behavioral task
behavioral1
Sample
PO19-003219.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO19-003219.docx
Resource
win10v2004-20221111-en
General
-
Target
PO19-003219.docx
-
Size
10KB
-
MD5
9d29fe2f2a17ed895175dd589f28179c
-
SHA1
fca9f01cb1f2671731316052c4f681b22a8b458e
-
SHA256
cde127d66368c03e3e6b564eb4b28ad03314ad956d4f8e4eda1b5d9f35910674
-
SHA512
2acc073048ce529eca1853c6b9e9602787ac6cc9034c7cd7e2256fd837ee2d0c14d7e7b6840b41a805b26ba35c7a8f4018075a21afb2f80a8c9100112da8d345
-
SSDEEP
192:ScIMmtP8ar5G/bfIdTOBnT8namWBX8ex6y3vkLN:SPXt4ATOVT8nosM85
Malware Config
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1728 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exegriomhv.exegriomhv.exepid process 1852 vbc.exe 316 griomhv.exe 848 griomhv.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://392097655/_--00_o______---0o0_00_0oo_0-o_o0-__________o0o-__________/ozzwerdfdghjfdggsahfhfghf.doc WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exegriomhv.exepid process 1728 EQNEDT32.EXE 1852 vbc.exe 1852 vbc.exe 316 griomhv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook griomhv.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook griomhv.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook griomhv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
griomhv.exedescription pid process target process PID 316 set thread context of 848 316 griomhv.exe griomhv.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
griomhv.exepid process 316 griomhv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
griomhv.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 848 griomhv.exe Token: SeShutdownPrivilege 900 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE 900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEgriomhv.exedescription pid process target process PID 1728 wrote to memory of 1852 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1852 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1852 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 1852 1728 EQNEDT32.EXE vbc.exe PID 1852 wrote to memory of 316 1852 vbc.exe griomhv.exe PID 1852 wrote to memory of 316 1852 vbc.exe griomhv.exe PID 1852 wrote to memory of 316 1852 vbc.exe griomhv.exe PID 1852 wrote to memory of 316 1852 vbc.exe griomhv.exe PID 900 wrote to memory of 1612 900 WINWORD.EXE splwow64.exe PID 900 wrote to memory of 1612 900 WINWORD.EXE splwow64.exe PID 900 wrote to memory of 1612 900 WINWORD.EXE splwow64.exe PID 900 wrote to memory of 1612 900 WINWORD.EXE splwow64.exe PID 316 wrote to memory of 848 316 griomhv.exe griomhv.exe PID 316 wrote to memory of 848 316 griomhv.exe griomhv.exe PID 316 wrote to memory of 848 316 griomhv.exe griomhv.exe PID 316 wrote to memory of 848 316 griomhv.exe griomhv.exe PID 316 wrote to memory of 848 316 griomhv.exe griomhv.exe -
outlook_office_path 1 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook griomhv.exe -
outlook_win_path 1 IoCs
Processes:
griomhv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook griomhv.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO19-003219.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\griomhv.exe"C:\Users\Admin\AppData\Local\Temp\griomhv.exe" C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\griomhv.exe"C:\Users\Admin\AppData\Local\Temp\griomhv.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
C:\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
C:\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnbFilesize
5KB
MD5736c032772b93b60ae1e2067052cadb1
SHA1a7e78bc73ce87b809a3d37653f1922720b183114
SHA256d4ee48c3fafdea592df4f1de273497e2a15e0a86fa45d5608f61f6d764049ccd
SHA512ba175ed6e56513877d0ba31e38e351927319d5db57ddaeb52b960b55660cf6414af5b1c19cf059eb3048b0e080f3b0bdb8abedd61c96a02552d5980f326d4b38
-
C:\Users\Admin\AppData\Local\Temp\ulamxtxdx.dnFilesize
124KB
MD522286bcaafac73cc45e5d1cf19945c42
SHA1b6b687b63da60b27a08547ab631b98496e00319f
SHA2566b0abe65ad494fd2a39e1ed8799e60a45e3ebeb72136adca4eeeb575ec897c1e
SHA512c16ff1af55bbde8bd07c7d252595c7778fe97284d9927ea5b441e4aef4e31df3f23187c501f22d8a294bbe21422a1715363b026eb41fff7a1a5b3d67f0412f7c
-
C:\Users\Public\vbc.exeFilesize
354KB
MD558dbd12561b26a53ecf30b37a0c4060d
SHA13e1c7d108c4d672b2bf226727485a163a8fa70a9
SHA256adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430
SHA512d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d
-
C:\Users\Public\vbc.exeFilesize
354KB
MD558dbd12561b26a53ecf30b37a0c4060d
SHA13e1c7d108c4d672b2bf226727485a163a8fa70a9
SHA256adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430
SHA512d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d
-
\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
\Users\Admin\AppData\Local\Temp\griomhv.exeFilesize
50KB
MD51e615c9c0c88c482c37312c4d4dd21ad
SHA1d39ff54b50c39a65aab93ba6c2f0973352acc17c
SHA256f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397
SHA512c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496
-
\Users\Public\vbc.exeFilesize
354KB
MD558dbd12561b26a53ecf30b37a0c4060d
SHA13e1c7d108c4d672b2bf226727485a163a8fa70a9
SHA256adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430
SHA512d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d
-
memory/316-68-0x0000000000000000-mapping.dmp
-
memory/848-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/848-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/848-77-0x00000000004139DE-mapping.dmp
-
memory/900-54-0x0000000072A71000-0x0000000072A74000-memory.dmpFilesize
12KB
-
memory/900-58-0x00000000714DD000-0x00000000714E8000-memory.dmpFilesize
44KB
-
memory/900-57-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/900-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/900-55-0x00000000704F1000-0x00000000704F3000-memory.dmpFilesize
8KB
-
memory/900-59-0x00000000714DD000-0x00000000714E8000-memory.dmpFilesize
44KB
-
memory/900-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/900-83-0x00000000714DD000-0x00000000714E8000-memory.dmpFilesize
44KB
-
memory/1612-72-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmpFilesize
8KB
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1852-62-0x0000000000000000-mapping.dmp