Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 04:39
Static task
static1
Behavioral task
behavioral1
Sample
e230816a29bb8af0b5f24adfbe5eff62.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e230816a29bb8af0b5f24adfbe5eff62.rtf
Resource
win10v2004-20230220-en
General
-
Target
e230816a29bb8af0b5f24adfbe5eff62.rtf
-
Size
25KB
-
MD5
e230816a29bb8af0b5f24adfbe5eff62
-
SHA1
841fb495cc824fb043d1be3f033326294745dfff
-
SHA256
061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3
-
SHA512
8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7
-
SSDEEP
768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-96-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1256-105-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/2032-107-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2032-109-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 956 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
registry_clean.exeregistry_clean.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe registry_clean.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe registry_clean.exe -
Executes dropped EXE 1 IoCs
Processes:
registry_clean.exepid process 668 registry_clean.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEregistry_clean.exeregistry_clean.exepid process 956 EQNEDT32.EXE 956 EQNEDT32.EXE 956 EQNEDT32.EXE 956 EQNEDT32.EXE 668 registry_clean.exe 1256 registry_clean.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
registry_clean.exepid process 1256 registry_clean.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
registry_clean.exeregistry_clean.exepid process 668 registry_clean.exe 1256 registry_clean.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
registry_clean.exeregistry_clean.execontrol.exedescription pid process target process PID 668 set thread context of 1256 668 registry_clean.exe registry_clean.exe PID 1256 set thread context of 1216 1256 registry_clean.exe Explorer.EXE PID 2032 set thread context of 1216 2032 control.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 16 IoCs
Processes:
resource yara_rule \Users\Public\registry_clean.exe nsis_installer_1 \Users\Public\registry_clean.exe nsis_installer_2 C:\Users\Public\registry_clean.exe nsis_installer_1 C:\Users\Public\registry_clean.exe nsis_installer_2 \Users\Public\registry_clean.exe nsis_installer_1 \Users\Public\registry_clean.exe nsis_installer_2 \Users\Public\registry_clean.exe nsis_installer_1 \Users\Public\registry_clean.exe nsis_installer_2 \Users\Public\registry_clean.exe nsis_installer_1 \Users\Public\registry_clean.exe nsis_installer_2 C:\Users\Public\registry_clean.exe nsis_installer_1 C:\Users\Public\registry_clean.exe nsis_installer_2 C:\Users\Public\registry_clean.exe nsis_installer_1 C:\Users\Public\registry_clean.exe nsis_installer_2 C:\Users\Public\registry_clean.exe nsis_installer_1 C:\Users\Public\registry_clean.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
registry_clean.execontrol.exepid process 1256 registry_clean.exe 1256 registry_clean.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe 2032 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
registry_clean.exeregistry_clean.execontrol.exepid process 668 registry_clean.exe 1256 registry_clean.exe 1256 registry_clean.exe 1256 registry_clean.exe 2032 control.exe 2032 control.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
registry_clean.exeExplorer.EXEcontrol.exedescription pid process Token: SeDebugPrivilege 1256 registry_clean.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 2032 control.exe Token: SeShutdownPrivilege 1216 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEregistry_clean.exeWINWORD.EXEExplorer.EXEcontrol.exedescription pid process target process PID 956 wrote to memory of 668 956 EQNEDT32.EXE registry_clean.exe PID 956 wrote to memory of 668 956 EQNEDT32.EXE registry_clean.exe PID 956 wrote to memory of 668 956 EQNEDT32.EXE registry_clean.exe PID 956 wrote to memory of 668 956 EQNEDT32.EXE registry_clean.exe PID 668 wrote to memory of 1256 668 registry_clean.exe registry_clean.exe PID 668 wrote to memory of 1256 668 registry_clean.exe registry_clean.exe PID 668 wrote to memory of 1256 668 registry_clean.exe registry_clean.exe PID 668 wrote to memory of 1256 668 registry_clean.exe registry_clean.exe PID 668 wrote to memory of 1256 668 registry_clean.exe registry_clean.exe PID 1696 wrote to memory of 1752 1696 WINWORD.EXE splwow64.exe PID 1696 wrote to memory of 1752 1696 WINWORD.EXE splwow64.exe PID 1696 wrote to memory of 1752 1696 WINWORD.EXE splwow64.exe PID 1696 wrote to memory of 1752 1696 WINWORD.EXE splwow64.exe PID 1216 wrote to memory of 2032 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 2032 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 2032 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 2032 1216 Explorer.EXE control.exe PID 2032 wrote to memory of 1108 2032 control.exe cmd.exe PID 2032 wrote to memory of 1108 2032 control.exe cmd.exe PID 2032 wrote to memory of 1108 2032 control.exe cmd.exe PID 2032 wrote to memory of 1108 2032 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e230816a29bb8af0b5f24adfbe5eff62.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\registry_clean.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\registry_clean.exe"C:\Users\Public\registry_clean.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\registry_clean.exe"C:\Users\Public\registry_clean.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5181bdc4b6cce3d69083ccb4c7a9c80e4
SHA1cc546ec2fd8d23308b077242c2310532a54b89f5
SHA2566ac79053493a9e899e6293d0d990c400e6f68fdf3bc54d608b76c030d5a51fe0
SHA512e89fa9415ab2039104f34436e4b898885d44d56c8c37fcfcdb0a18ee46d33c392459c03a83f8ac12e3503c4ced2367fc587c5e58e6917f2bf5238eedaa735463
-
C:\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
C:\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
C:\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
C:\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
\Users\Admin\AppData\Local\Temp\nsy3BF9.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
\Users\Public\registry_clean.exeFilesize
371KB
MD5bb82589608f2312e9bf9d0c63c8a3d68
SHA1c66d15184ef9a38a7423f1a6fbc60c94132051f9
SHA2563682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
SHA512c839f9653e021cd06deaa1b529506596598473f8e62347a5a01e88a09fdf6316a17e5cad8502646fc40db955505c44082ba5ed1e62bd2ce8e8bf8daa1dcecb3a
-
memory/668-84-0x0000000002E40000-0x000000000605F000-memory.dmpFilesize
50.1MB
-
memory/668-89-0x0000000002E40000-0x000000000605F000-memory.dmpFilesize
50.1MB
-
memory/1216-98-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1216-117-0x0000000004CE0000-0x0000000004D7C000-memory.dmpFilesize
624KB
-
memory/1216-114-0x0000000004CE0000-0x0000000004D7C000-memory.dmpFilesize
624KB
-
memory/1216-113-0x0000000004CE0000-0x0000000004D7C000-memory.dmpFilesize
624KB
-
memory/1216-101-0x0000000006C80000-0x0000000006D65000-memory.dmpFilesize
916KB
-
memory/1256-97-0x0000000001470000-0x000000000468F000-memory.dmpFilesize
50.1MB
-
memory/1256-96-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1256-100-0x0000000034450000-0x0000000034464000-memory.dmpFilesize
80KB
-
memory/1256-99-0x00000000348C0000-0x0000000034BC3000-memory.dmpFilesize
3.0MB
-
memory/1256-102-0x0000000001470000-0x000000000468F000-memory.dmpFilesize
50.1MB
-
memory/1256-105-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1256-91-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1256-92-0x0000000001470000-0x000000000468F000-memory.dmpFilesize
50.1MB
-
memory/1256-94-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1696-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1696-136-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2032-104-0x0000000000940000-0x000000000095F000-memory.dmpFilesize
124KB
-
memory/2032-112-0x0000000001D60000-0x0000000001DF3000-memory.dmpFilesize
588KB
-
memory/2032-109-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2032-107-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2032-108-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/2032-103-0x0000000000940000-0x000000000095F000-memory.dmpFilesize
124KB