Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 18:55
Static task
static1
Behavioral task
behavioral1
Sample
zapitvane marko bulgaria eood.rtf
Resource
win7-20230220-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
zapitvane marko bulgaria eood.rtf
Resource
win10v2004-20230221-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
zapitvane marko bulgaria eood.rtf
-
Size
3KB
-
MD5
a5a6fbe5e7f86784d14ce1f4d7672f6b
-
SHA1
c8b9fc16cea841705b1b80152cc95f3322799c80
-
SHA256
7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248
-
SHA512
322944cc12604db232973329f9ad5e49c034d9ca4e55ffba3ddc8b4d2dc815c2afaeddae740436d07c88f46d9017902c88dac0cdc0610dcbd47cb9d0825218b3
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
74.201.28.92:3569
Attributes
-
communication_password
148b191cf4e80b549e1b1a4444f2bdf6
-
tor_process
tor
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1468 1764 taskmgr.exe 25 -
Blocklisted process makes network request 5 IoCs
flow pid Process 4 2032 EQNEDT32.EXE 6 2032 EQNEDT32.EXE 8 2032 EQNEDT32.EXE 10 2032 EQNEDT32.EXE 12 2032 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1228 fdry.exe 1212 fdry.exe 1244 wbnh.exe 1560 wbnh.exe -
Loads dropped DLL 7 IoCs
pid Process 2032 EQNEDT32.EXE 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1212 fdry.exe 1212 fdry.exe 1212 fdry.exe 1212 fdry.exe 1212 fdry.exe 1560 wbnh.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1228 set thread context of 1212 1228 fdry.exe 32 PID 1244 set thread context of 1560 1244 wbnh.exe 45 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 912 schtasks.exe 1596 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2032 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1468 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1212 fdry.exe Token: SeShutdownPrivilege 1212 fdry.exe Token: SeDebugPrivilege 1468 taskmgr.exe Token: SeDebugPrivilege 1560 wbnh.exe Token: SeShutdownPrivilege 1560 wbnh.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe 1468 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1212 fdry.exe 1212 fdry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1228 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 1228 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 1228 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 1228 2032 EQNEDT32.EXE 31 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1212 1228 fdry.exe 32 PID 1228 wrote to memory of 1608 1228 fdry.exe 33 PID 1228 wrote to memory of 1608 1228 fdry.exe 33 PID 1228 wrote to memory of 1608 1228 fdry.exe 33 PID 1228 wrote to memory of 1608 1228 fdry.exe 33 PID 1228 wrote to memory of 1524 1228 fdry.exe 39 PID 1228 wrote to memory of 1524 1228 fdry.exe 39 PID 1228 wrote to memory of 1524 1228 fdry.exe 39 PID 1228 wrote to memory of 1524 1228 fdry.exe 39 PID 1228 wrote to memory of 828 1228 fdry.exe 35 PID 1228 wrote to memory of 828 1228 fdry.exe 35 PID 1228 wrote to memory of 828 1228 fdry.exe 35 PID 1228 wrote to memory of 828 1228 fdry.exe 35 PID 1524 wrote to memory of 912 1524 cmd.exe 38 PID 1524 wrote to memory of 912 1524 cmd.exe 38 PID 1524 wrote to memory of 912 1524 cmd.exe 38 PID 1524 wrote to memory of 912 1524 cmd.exe 38 PID 1764 wrote to memory of 1468 1764 WINWORD.EXE 40 PID 1764 wrote to memory of 1468 1764 WINWORD.EXE 40 PID 1764 wrote to memory of 1468 1764 WINWORD.EXE 40 PID 1764 wrote to memory of 1468 1764 WINWORD.EXE 40 PID 816 wrote to memory of 1244 816 taskeng.exe 44 PID 816 wrote to memory of 1244 816 taskeng.exe 44 PID 816 wrote to memory of 1244 816 taskeng.exe 44 PID 816 wrote to memory of 1244 816 taskeng.exe 44 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1560 1244 wbnh.exe 45 PID 1244 wrote to memory of 1524 1244 wbnh.exe 47 PID 1244 wrote to memory of 1524 1244 wbnh.exe 47 PID 1244 wrote to memory of 1524 1244 wbnh.exe 47 PID 1244 wrote to memory of 1524 1244 wbnh.exe 47 PID 1244 wrote to memory of 392 1244 wbnh.exe 46 PID 1244 wrote to memory of 392 1244 wbnh.exe 46 PID 1244 wrote to memory of 392 1244 wbnh.exe 46 PID 1244 wrote to memory of 392 1244 wbnh.exe 46 PID 1244 wrote to memory of 1988 1244 wbnh.exe 49 PID 1244 wrote to memory of 1988 1244 wbnh.exe 49 PID 1244 wrote to memory of 1988 1244 wbnh.exe 49 PID 1244 wrote to memory of 1988 1244 wbnh.exe 49
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapitvane marko bulgaria eood.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1468
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\fdry.exeC:\Users\Admin\AppData\Roaming\fdry.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Roaming\fdry.exe"C:\Users\Admin\AppData\Roaming\fdry.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"3⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fdry.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵PID:828
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1524
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f1⤵
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\taskeng.exetaskeng.exe {31F86732-CE44-47B7-BDB7-407482B2C920} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exeC:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f3⤵PID:392
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f4⤵
- Creates scheduled task(s)
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"3⤵PID:1524
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵PID:1988
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
20KB
MD5771e1815c9356132833a8e9ebf843448
SHA1ef3b00707d361f0a9835fa9ee8bb9d89db53610b
SHA256eaf8c56b3f08ddd555655a7f9d5c2f5b7a52bf1587853e00c1cd8bc81762aefa
SHA51293494a4f21619eb4896c618561acc7fefc4d8fd4287d6248f270c8d0f642cec3edc589dd3804e47d799f62c0719665f899d6c3e0f61c55345504400418d23291
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
Filesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19