Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 13:18
Static task
static1
Behavioral task
behavioral1
Sample
UBIN0231541484.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
UBIN0231541484.docx
Resource
win10v2004-20230221-en
General
-
Target
UBIN0231541484.docx
-
Size
14KB
-
MD5
68ec0315e8c7d6a99bc11d1c3165f1ea
-
SHA1
8fb882147e3c5b3ff413b022358916492c071855
-
SHA256
d76cc47a412eb217e437f4292b240e3858d35a927048e6240b815eaea2aa1b79
-
SHA512
6127459e215b67939e95eb6796ecd14579b4158269b1ff09b68d2aff7f324fa0ac9f6b9889b614d13fc2c675ebea115f4c31e25e77ad3989ab62b93a0ef08bc1
-
SSDEEP
192:4fiPeafL1ef4sfFONVJ0spH3RfuAfD7ZtNYg3dx5BO8Qk5i9AE/y7faVj1qqfLf3:SU1wYZ//368Qk50a+FJ3W7mn/
Malware Config
Extracted
formbook
4.1
gtt8
42taijijian.com
rehnimiyanales.com
cst247.shop
usdt09.tech
lennartjahn.com
aaabestcbd.com
marketing-digital-france-2.xyz
be4time.com
slotyfly.com
parimaladragonflywellness.life
phonereda.com
01076.win
thehoundlounge.info
high-vent.co.uk
14thfeb.com
onlyforks.info
joseeandtim.com
mylegoclub.com
iuser-findmy.info
uninassaupolopinheiro.com
tgomubira.shop
nebulanurseries.com
userfirstinteractive.com
jttobrands.com
e-pasport.com
xfinity-emailreconfirm.com
flora-block.com
crsplife.com
yourtechhousecall.com
lorrainedavistraining.com
thrivixcollection.com
quetthesieure.com
enrysisland.tech
himedya1.shop
luteblush.shop
caishen2.top
bestsellernouveau.com
casnation.com
shesurfbyronbay.com
cm98g0.com
continuumgblsupport.com
indianrailways.tech
findfetishcams.com
terracarepropertyservices.com
sav-client-chronopost.info
kedaionline250.shop
FORUM-ROMANUM.NET
dico-live.com
cabanaatthepointe.com
kuendubeachresort.com
biodigitalhealthcare.net
terompa.site
yongbangsd.com
hana-life2525.com
vmagaz.fun
meuble-chaussure-entree.site
bibaha.live
mocktailmasters.fun
shielings-unmusical.click
plane-jaynes.com
miracle-island.com
tilescitybd.com
respondaquiz.online
municipiodesombrerete.com
housy.host
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/968-330-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/968-337-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/968-345-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1904-348-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1904-349-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 17 1612 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
clean_registry.execlean_registry.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe -
Executes dropped EXE 1 IoCs
Processes:
clean_registry.exepid process 976 clean_registry.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEclean_registry.execlean_registry.exepid process 1612 EQNEDT32.EXE 976 clean_registry.exe 976 clean_registry.exe 968 clean_registry.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
clean_registry.exepid process 968 clean_registry.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
clean_registry.execlean_registry.exepid process 976 clean_registry.exe 968 clean_registry.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
clean_registry.execlean_registry.execmmon32.exedescription pid process target process PID 976 set thread context of 968 976 clean_registry.exe clean_registry.exe PID 968 set thread context of 1280 968 clean_registry.exe Explorer.EXE PID 968 set thread context of 1280 968 clean_registry.exe Explorer.EXE PID 1904 set thread context of 1280 1904 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 12 IoCs
Processes:
resource yara_rule C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
clean_registry.execmmon32.exepid process 968 clean_registry.exe 968 clean_registry.exe 968 clean_registry.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe 1904 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
clean_registry.execlean_registry.execmmon32.exepid process 976 clean_registry.exe 968 clean_registry.exe 968 clean_registry.exe 968 clean_registry.exe 968 clean_registry.exe 1904 cmmon32.exe 1904 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
clean_registry.exeExplorer.EXEcmmon32.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 968 clean_registry.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeDebugPrivilege 1904 cmmon32.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeShutdownPrivilege 928 WINWORD.EXE Token: SeShutdownPrivilege 1280 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 928 WINWORD.EXE 928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEclean_registry.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 1612 wrote to memory of 976 1612 EQNEDT32.EXE clean_registry.exe PID 928 wrote to memory of 1364 928 WINWORD.EXE splwow64.exe PID 928 wrote to memory of 1364 928 WINWORD.EXE splwow64.exe PID 928 wrote to memory of 1364 928 WINWORD.EXE splwow64.exe PID 928 wrote to memory of 1364 928 WINWORD.EXE splwow64.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 976 wrote to memory of 968 976 clean_registry.exe clean_registry.exe PID 1280 wrote to memory of 1904 1280 Explorer.EXE cmmon32.exe PID 1280 wrote to memory of 1904 1280 Explorer.EXE cmmon32.exe PID 1280 wrote to memory of 1904 1280 Explorer.EXE cmmon32.exe PID 1280 wrote to memory of 1904 1280 Explorer.EXE cmmon32.exe PID 1904 wrote to memory of 1752 1904 cmmon32.exe cmd.exe PID 1904 wrote to memory of 1752 1904 cmmon32.exe cmd.exe PID 1904 wrote to memory of 1752 1904 cmmon32.exe cmd.exe PID 1904 wrote to memory of 1752 1904 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\UBIN0231541484.docx"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\clean_registry.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5feacd0cec0013453f4656e845213f9ea
SHA1c5d680aba3b93aac7faa184557ca6a841deac9b9
SHA2566ab550cf107301b8e0b828b164325e00a56793e655ef19caa89d1385dfadad79
SHA512549a8ee32a2d2d6b51f9fb57a2d45c89be0a847785ae2a752fd110103325daf88395edc90b09dbdcc179f62ed94ac22d2c68d9cfc2f14e4fbe1dc8c681f1c4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{01309B31-BA04-41FA-8A19-D26181403434}.FSDFilesize
128KB
MD53a3a35d7fc3c232dca79739d5a864bf6
SHA1594f03985d2d8fa234ce551922ea3eeef7585025
SHA25673c996f08c6188a3fb83c3ad198677963ceb86ecb3d317bcf0f665a0edfc66f9
SHA5121e86765e96f1b1200699dbb10b0e9be7477f9cbb1c1f2b3960e9a92724bbe6b78dab31e3684b9d4502e21ecd546bd5980d541909795a336cdb57343882bbed92
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5d8e6a27fbba2fe8179ba5bf2e8c84f6d
SHA1d75b6869ab81c9226e0e08d378ef29380ee59128
SHA2561a0236488c59dbb008a0b2cc69216f0d53332d15b95626fb64e25c6bc9d6f58b
SHA51287064052289c5093476a790f60abec2b7e33143a35b1120d299e6ff67900b22d4d06c610b9b173fe850ce8e39270f273b7e8dd84c8b86ac7435bfb7a78d1be90
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F0F4F581-3C31-4046-84BE-53BF3AF975DB}.FSDFilesize
128KB
MD571092882816d528b636c51e9742005ec
SHA15f193a26bcf9962b6fe05a39bad597711212364b
SHA25617bbcfb82de03c1286ea08d51f8682a33547a17005d2986cfccb957037d4fe16
SHA51200740441f4ac6e7541bd29ba41dcfe6e915ba11a7a8d13599b215b51b558993f2790a9396594d6e5ae0b80c3d9503fd969ccc4a9e0ea4eca05aa56ee07fba2b7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\rsrsrsrsrsrrsrsrsrsrsrsrssrsrsr############################rsrsrsrsrsrsrsrsrsrs[1].docFilesize
22KB
MD539669a47b553f5d6b3ed6b730d7852f9
SHA174b365ae0dc316eee5de6df5911019cabe512efb
SHA2568e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d
SHA5121efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDE89E9C.datFilesize
1KB
MD5a19e3005f2cf4408c6a0ef18419fd9cf
SHA12b2fe21480eae6c5bbc3bdc736e1186815fecffc
SHA25601188acaff9047e8b0e6293aa34350f74b8b27f425323323b3ebd16e0284a26e
SHA512f2c3dcc37e1868612cf73c976385c00d11c0b52db3846ab8a19d2fdf9cc0a0ec9e704da7607bb56076de7c57743f581d4ba56924994a89e692d20fe16b7ee7aa
-
C:\Users\Admin\AppData\Local\Temp\Cab4493.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar4620.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Local\Temp\{0BB0D673-A534-4FF1-9171-23FC228CE535}Filesize
128KB
MD5861992f57679b0842d2134287d70a37a
SHA1709abada64907c6c4de237b7a9dcc3ec5a8de352
SHA256266bc5bc0aa2e31afbf0a453d67b68910dfa97dc4de4e8539ba06d7769196318
SHA5120cf6ef53b75287927119d6eb32c334f0feebcace11807a8b118157e5b8f554f165aed5a34c7734ba4210d851cb3949ecba8135961f3ad9e830757f2730566744
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD548c29f59b10032b21504b4ee65a9f864
SHA11474498d6c8ba79ff7a806464f8d072a28524356
SHA256c2a33e58d8596e826f6ed395bd0dcde0706c842cb7e0915a5a0318da8875d7d6
SHA51227e4702912089e7517d21dd4dae361ffad8d921b68f94d2f003ef3b60222a5ec000b0928e66a7d42af317e5ff016fef6c85699022b7e6d9f8da9c7ec2a18d51a
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Admin\AppData\Local\Temp\nst6460.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
memory/928-378-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/928-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/968-329-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/968-328-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/968-327-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/968-330-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/968-331-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/968-332-0x00000000345F0000-0x00000000348F3000-memory.dmpFilesize
3.0MB
-
memory/968-345-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/968-334-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/968-335-0x0000000034460000-0x0000000034474000-memory.dmpFilesize
80KB
-
memory/968-342-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/968-337-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/968-340-0x0000000000080000-0x0000000000094000-memory.dmpFilesize
80KB
-
memory/976-324-0x0000000002FD0000-0x0000000005F08000-memory.dmpFilesize
47.2MB
-
memory/976-308-0x0000000002FD0000-0x0000000005F08000-memory.dmpFilesize
47.2MB
-
memory/1280-341-0x0000000007220000-0x00000000073AD000-memory.dmpFilesize
1.6MB
-
memory/1280-336-0x0000000006B70000-0x0000000006CB0000-memory.dmpFilesize
1.2MB
-
memory/1280-385-0x00000000074F0000-0x000000000767D000-memory.dmpFilesize
1.6MB
-
memory/1280-333-0x0000000000340000-0x0000000000440000-memory.dmpFilesize
1024KB
-
memory/1280-383-0x00000000074F0000-0x000000000767D000-memory.dmpFilesize
1.6MB
-
memory/1280-381-0x00000000074F0000-0x000000000767D000-memory.dmpFilesize
1.6MB
-
memory/1904-343-0x0000000000560000-0x000000000056D000-memory.dmpFilesize
52KB
-
memory/1904-352-0x0000000000570000-0x0000000000603000-memory.dmpFilesize
588KB
-
memory/1904-349-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1904-348-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1904-347-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1904-344-0x0000000000560000-0x000000000056D000-memory.dmpFilesize
52KB