Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
296s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/04/2023, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
(RFQ) – 14000102697.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
(RFQ) – 14000102697.rtf
Resource
win10v2004-20230220-en
General
-
Target
(RFQ) – 14000102697.rtf
-
Size
37KB
-
MD5
17be8aa282a9714f7e11bc6a7b453f81
-
SHA1
745cc223e837bc41a8bacb09c7d12ce246042fe4
-
SHA256
ae3bc9f972947dbad44ec70d3d5aa55cce92a10bd87bed17004da72b800a0c67
-
SHA512
5e671ebf0769f03f7bbec062797a37aed18a3e3a257ce8b4c0aa53f7065011a71eea63d5556a9de99723b8e08cc4571c36b79e71034e3d6d6c43e236a4617a83
-
SSDEEP
768:wFx0XaIsnPRIa4fwJMAcErwPkegfqqOva9MSYlR74E+60WdFJBHDpZ:wf0Xvx3EMAcEraqOvabYlIcdFJ1tZ
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1732 1676 autoconv.exe 25 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1820 1676 cscript.exe 25 -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 464 EQNEDT32.EXE 9 1820 cscript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation maxoysj4762.exe -
Executes dropped EXE 2 IoCs
pid Process 904 maxoysj4762.exe 1848 maxoysj4762.exe -
Loads dropped DLL 2 IoCs
pid Process 464 EQNEDT32.EXE 1820 cscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 904 set thread context of 1848 904 maxoysj4762.exe 33 PID 1848 set thread context of 1676 1848 maxoysj4762.exe 25 PID 1820 set thread context of 1272 1820 cscript.exe 15 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 464 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1676 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1848 maxoysj4762.exe 1848 maxoysj4762.exe 1848 maxoysj4762.exe 1848 maxoysj4762.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1848 maxoysj4762.exe 1848 maxoysj4762.exe 1848 maxoysj4762.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe 1820 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1848 maxoysj4762.exe Token: SeDebugPrivilege 1820 cscript.exe Token: SeShutdownPrivilege 1272 Explorer.EXE Token: SeShutdownPrivilege 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 WINWORD.EXE 1676 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 464 wrote to memory of 904 464 EQNEDT32.EXE 29 PID 464 wrote to memory of 904 464 EQNEDT32.EXE 29 PID 464 wrote to memory of 904 464 EQNEDT32.EXE 29 PID 464 wrote to memory of 904 464 EQNEDT32.EXE 29 PID 1676 wrote to memory of 976 1676 WINWORD.EXE 32 PID 1676 wrote to memory of 976 1676 WINWORD.EXE 32 PID 1676 wrote to memory of 976 1676 WINWORD.EXE 32 PID 1676 wrote to memory of 976 1676 WINWORD.EXE 32 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 904 wrote to memory of 1848 904 maxoysj4762.exe 33 PID 1676 wrote to memory of 1820 1676 WINWORD.EXE 35 PID 1676 wrote to memory of 1820 1676 WINWORD.EXE 35 PID 1676 wrote to memory of 1820 1676 WINWORD.EXE 35 PID 1676 wrote to memory of 1820 1676 WINWORD.EXE 35 PID 1820 wrote to memory of 964 1820 cscript.exe 36 PID 1820 wrote to memory of 964 1820 cscript.exe 36 PID 1820 wrote to memory of 964 1820 cscript.exe 36 PID 1820 wrote to memory of 964 1820 cscript.exe 36 PID 1820 wrote to memory of 964 1820 cscript.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\(RFQ) – 14000102697.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:976
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"3⤵
- Process spawned unexpected child process
PID:1732
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"4⤵PID:964
-
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"C:\Users\Admin\AppData\Roaming\maxoysj4762.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD55e2d04cb2fae4e811ca35675c472f5fc
SHA16e2359f8e81f1a1122d1fb50b064878f2aaefc68
SHA256dd46a298ab90ca9ba8a1f633f20abe2dcb805596b5aa68dcb84cce99e3a56be1
SHA51253c8701768ee4a43a6b2095af00aa5f2c53445021a91d3567d02cf8157c7b7c4e629c5c70bb24697d365a7c41c791af0c68b511ab3cf5f356d9d929618421d05
-
Filesize
20KB
MD5d18b3b3d0e7165f536c8686364900204
SHA17f29cbae3271e278e2b1bae7d64cf8c66322e85c
SHA256bbb7e1fe1b937fa813be56126738740cd27a4a7459a3764f630899c8e01b89a7
SHA51286e82c461a2adce8c7898ac447a0409c5714dac6f4f8876ba56b37a83e7ec1e4d43ec9d0b612bb409eadd2dc2dd7f6461da792b825ffd6cd5d5105398e721d3a
-
Filesize
585KB
MD5d6bf1f473ce21610f125492e27d1a4e4
SHA1c51444cd94cbfb2f955f555feac4512ed7ef33d1
SHA256898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SHA51280bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74
-
Filesize
585KB
MD5d6bf1f473ce21610f125492e27d1a4e4
SHA1c51444cd94cbfb2f955f555feac4512ed7ef33d1
SHA256898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SHA51280bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74
-
Filesize
585KB
MD5d6bf1f473ce21610f125492e27d1a4e4
SHA1c51444cd94cbfb2f955f555feac4512ed7ef33d1
SHA256898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SHA51280bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74
-
Filesize
585KB
MD5d6bf1f473ce21610f125492e27d1a4e4
SHA1c51444cd94cbfb2f955f555feac4512ed7ef33d1
SHA256898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SHA51280bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74
-
Filesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456
-
Filesize
585KB
MD5d6bf1f473ce21610f125492e27d1a4e4
SHA1c51444cd94cbfb2f955f555feac4512ed7ef33d1
SHA256898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
SHA51280bd6043c1db88b2c00225edfef7bc66f573421816c7b52f1a6478b09060dfd2b95994be549d11269f74b332c4cef8b79f9b430fb0da6ac21226b50ec1cc4b74