04a5e2c14d7f9d46c5eac57ea70040bbe1e4215205b6f616b125463c3bb7a466

Analysis

max time kernel
102s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/03/2023, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

COPY REMMITTANCE.rtf
Size

29KB
MD5

9cf9b2689e9cf1828198509df38ed707
SHA1

cd3687a2aed2c33ac8194d18fdd9ec31f854a59a
SHA256

04a5e2c14d7f9d46c5eac57ea70040bbe1e4215205b6f616b125463c3bb7a466
SHA512

68e66d3dad87d99619e96976eadc61a55c5c0f93cc373a9ef1569d94c0b81b9306dcfbedd025a99bef982c6b9a783f6c43bd687748cfdb5ed64d3168030ba86d
SSDEEP

768:BFx0XaIsnPRIa4fwJMXDICAhPjIJot1LnHWuTES:Bf0Xvx3EMzIh1jIOLbt

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1956	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
616	secugopoundtek3672.exe
532	secugopoundtek3672.exe
1604	secugopoundtek3672.exe
908	secugopoundtek3672.exe
904	secugopoundtek3672.exe
864	secugopoundtek3672.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	EQNEDT32.EXE
1956	EQNEDT32.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1956	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe
616	secugopoundtek3672.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	secugopoundtek3672.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	WINWORD.EXE
2016	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 616	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 616	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 616	1956	EQNEDT32.EXE	29
PID 1956 wrote to memory of 616	1956	EQNEDT32.EXE	29
PID 2016 wrote to memory of 1524	2016	WINWORD.EXE	32
PID 2016 wrote to memory of 1524	2016	WINWORD.EXE	32
PID 2016 wrote to memory of 1524	2016	WINWORD.EXE	32
PID 2016 wrote to memory of 1524	2016	WINWORD.EXE	32
PID 616 wrote to memory of 532	616	secugopoundtek3672.exe	33
PID 616 wrote to memory of 532	616	secugopoundtek3672.exe	33
PID 616 wrote to memory of 532	616	secugopoundtek3672.exe	33
PID 616 wrote to memory of 532	616	secugopoundtek3672.exe	33
PID 616 wrote to memory of 1604	616	secugopoundtek3672.exe	34
PID 616 wrote to memory of 1604	616	secugopoundtek3672.exe	34
PID 616 wrote to memory of 1604	616	secugopoundtek3672.exe	34
PID 616 wrote to memory of 1604	616	secugopoundtek3672.exe	34
PID 616 wrote to memory of 908	616	secugopoundtek3672.exe	35
PID 616 wrote to memory of 908	616	secugopoundtek3672.exe	35
PID 616 wrote to memory of 908	616	secugopoundtek3672.exe	35
PID 616 wrote to memory of 908	616	secugopoundtek3672.exe	35
PID 616 wrote to memory of 904	616	secugopoundtek3672.exe	36
PID 616 wrote to memory of 904	616	secugopoundtek3672.exe	36
PID 616 wrote to memory of 904	616	secugopoundtek3672.exe	36
PID 616 wrote to memory of 904	616	secugopoundtek3672.exe	36
PID 616 wrote to memory of 864	616	secugopoundtek3672.exe	37
PID 616 wrote to memory of 864	616	secugopoundtek3672.exe	37
PID 616 wrote to memory of 864	616	secugopoundtek3672.exe	37
PID 616 wrote to memory of 864	616	secugopoundtek3672.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\COPY REMMITTANCE.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1524

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
  "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
    "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
    "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
    "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
    3⤵
    - Executes dropped EXE
    PID:908
- - C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
    "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
    3⤵
    - Executes dropped EXE
    PID:904
- - C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe
    "C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe"
    3⤵
    - Executes dropped EXE
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a6ae239fc2e28200a6f1a8ccacf121e6

SHA1
8f69fb174b9539a14575eaefff19d8afe61a7cf1

SHA256
f5997bc0c5fdeb0b342e282d81ab581dbb91a9fb5acba950f88917effca2eee3

SHA512
31c72087992662e15753b22c146a61c46644bd63c3a50e3eb78ddda0965b0bf7ddab752c2b702f2b8d26d75d5729ed5780c8227e593854702f00a067d0d38e81

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
C:\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
\Users\Admin\AppData\Roaming\secugopoundtek3672.exe

Filesize
815KB

MD5
629b9eb152895dffb0f20875ef095662

SHA1
621d9d0399b6ac2dd78cc82ff86df2a4ff8ada73

SHA256
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14

SHA512
49653756030145d41ebe40ff2f8da011251cdf847e72896ff5cfb4d60a15ad1b17a36f071ca1d5e0b0b08501b421b9e594f51b8a3bca8addde83427b56996a8b

Download Submit
memory/616-79-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/616-81-0x0000000004150000-0x0000000004188000-memory.dmp

Filesize
224KB

Download
memory/616-70-0x0000000000370000-0x0000000000440000-memory.dmp

Filesize
832KB

Download
memory/616-80-0x00000000056F0000-0x00000000057A0000-memory.dmp

Filesize
704KB

Download
memory/616-75-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/616-77-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/616-76-0x0000000000440000-0x0000000000460000-memory.dmp

Filesize
128KB

Download
memory/2016-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download