Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 05:30
Static task
static1
Behavioral task
behavioral1
Sample
8f6f20b9800cc3739e08c986979fe886.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8f6f20b9800cc3739e08c986979fe886.rtf
Resource
win10v2004-20230221-en
General
-
Target
8f6f20b9800cc3739e08c986979fe886.rtf
-
Size
27KB
-
MD5
8f6f20b9800cc3739e08c986979fe886
-
SHA1
945fc5d51604afd6e92c84fac68e336680d37abc
-
SHA256
4fe0591d0c5bd1f27e2a384aa171139b371847c545e9eae6e7bc6269a954a58b
-
SHA512
e5a31cf4eb09b45990de61527c98a3bb5726ce52bd9b103535bb347d18e60943b1d12d73f7aec23a6b214abb0cad952aec560ccb71064b131254018ecf646b71
-
SSDEEP
768:DHe6wuA/+TFngTG1tl2qGOQP0u2kPdU8S7C5G3fljgBQ/sp:DHOuA/+TFngC1u2kl7wm7p
Malware Config
Extracted
formbook
4.1
xchu
zcartoons.com
castilloshowroom.com
3bmmdtod.life
misaxoxo.com
nadiya.online
sykkbup29.xyz
triciaaprimrosevp.com
newleter.com
ptzslk.xyz
lightbulbfestival.com
texaslandline.com
ideeintemporelle.com
girljustdoitpodcast.com
medimediamarketing.com
bunk7outfitters.com
charlievgrfminnick.click
lifestyleinthehome.com
atfbestsale.online
frontdoorproperties.co.uk
grandpaswag2024.info
masterbidbox.com
twinmall.xyz
apihb.com
tanbuhelir.com
excortclub.com
avxxxtube.com
dayonetaxes.com
xx7zncjthyo.xyz
barhat-dance.online
wxbaonayue.com
sorunsuzyayinburada9.shop
so-do-to.com
bonettr.com
gosucculents.com
axcelus.mobi
elityou.com
82163.xyz
ugfc.monster
wxxinglong.com
fleurdelis-ksa.com
australiaxxxhookup.com
hieu.asia
lailashawa.com
littlefoxgrp.com
modi.codes
frenchmattie.com
francoishogue-rpg.com
ntzb1.vip
adfoidoas.shop
meter-ooh.com
mamarosarienne.online
sharonmevans.com
ccapltal.com
ewardsrq.com
rgmtrucking.com
nilhanzsa.net
prodemtim-healthy-gums.com
aviationsoftware.aero
frog.lol
hauntingmedia.com
newindianewsnetwork.com
calfamfitclasses.net
sparrow-coffee.com
centralcoastquotes.com
tangocitymoscow.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1140-87-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1140-93-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/884-98-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/884-103-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 876 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
clean_registry.execlean_registry.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe -
Executes dropped EXE 1 IoCs
Processes:
clean_registry.exepid process 1996 clean_registry.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEclean_registry.execlean_registry.exepid process 876 EQNEDT32.EXE 1996 clean_registry.exe 1996 clean_registry.exe 1140 clean_registry.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
clean_registry.exepid process 1140 clean_registry.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
clean_registry.execlean_registry.exepid process 1996 clean_registry.exe 1140 clean_registry.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
clean_registry.execlean_registry.exehelp.exedescription pid process target process PID 1996 set thread context of 1140 1996 clean_registry.exe clean_registry.exe PID 1140 set thread context of 1208 1140 clean_registry.exe Explorer.EXE PID 884 set thread context of 1208 884 help.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 12 IoCs
Processes:
resource yara_rule C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
clean_registry.exehelp.exepid process 1140 clean_registry.exe 1140 clean_registry.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe 884 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
clean_registry.execlean_registry.exehelp.exepid process 1996 clean_registry.exe 1140 clean_registry.exe 1140 clean_registry.exe 1140 clean_registry.exe 884 help.exe 884 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
clean_registry.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1140 clean_registry.exe Token: SeDebugPrivilege 884 help.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEclean_registry.exeExplorer.EXEhelp.exedescription pid process target process PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 876 wrote to memory of 1996 876 EQNEDT32.EXE clean_registry.exe PID 2024 wrote to memory of 1440 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 1440 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 1440 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 1440 2024 WINWORD.EXE splwow64.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1996 wrote to memory of 1140 1996 clean_registry.exe clean_registry.exe PID 1208 wrote to memory of 884 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 884 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 884 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 884 1208 Explorer.EXE help.exe PID 884 wrote to memory of 692 884 help.exe cmd.exe PID 884 wrote to memory of 692 884 help.exe cmd.exe PID 884 wrote to memory of 692 884 help.exe cmd.exe PID 884 wrote to memory of 692 884 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8f6f20b9800cc3739e08c986979fe886.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\clean_registry.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD55e0884726fdc8b5cb9dfe2341f76f265
SHA1138ea225f9cdb855fcbcb78cf4b04f8d2e7a4563
SHA256a23eb3890288f6f6d68c23214f2d8221007a4134fc62ba74a7e1ce02581b52e8
SHA512fb07e23ba0976452b6cccbfe3fd0df54e88ca06dc834b85d30be89ec20d9fbde3c21ec52daf92b3363c81a6aada4767042ab7a9868d02e9fc0ce17256c0d551f
-
C:\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
C:\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
C:\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
C:\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
\Users\Admin\AppData\Local\Temp\nsd538E.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
\Users\Public\clean_registry.exeFilesize
280KB
MD5c6d2ae33edf3d67a0c2abe42836c2874
SHA1c29bcdccea09e6f3ecdef77fac70d96c9d8acfa3
SHA2564e1e5ed444f1dd3c1807df4b9e6c41e9e53556a80e7c28701ef6571bd081fac2
SHA512444c4c45ec9d5f0d7202fd76a073c8387792a1500386c34b032d523e2a27a5a5a97b6c980c6d4e6a4980ebc6da9e4fd4b3db63021c254d7c89b0390dda8b6d5c
-
memory/884-101-0x00000000009C0000-0x0000000000CC3000-memory.dmpFilesize
3.0MB
-
memory/884-95-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/884-122-0x0000000000320000-0x00000000003B3000-memory.dmpFilesize
588KB
-
memory/884-103-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/884-98-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/884-97-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/1140-91-0x0000000036890000-0x00000000368A4000-memory.dmpFilesize
80KB
-
memory/1140-93-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1140-84-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1140-89-0x0000000036BE0000-0x0000000036EE3000-memory.dmpFilesize
3.0MB
-
memory/1140-88-0x0000000001470000-0x00000000068D4000-memory.dmpFilesize
84.4MB
-
memory/1140-96-0x0000000001470000-0x00000000068D4000-memory.dmpFilesize
84.4MB
-
memory/1140-87-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1140-83-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1140-85-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1208-124-0x0000000004AB0000-0x0000000004B52000-memory.dmpFilesize
648KB
-
memory/1208-92-0x0000000003D50000-0x0000000003E14000-memory.dmpFilesize
784KB
-
memory/1208-127-0x0000000004AB0000-0x0000000004B52000-memory.dmpFilesize
648KB
-
memory/1208-123-0x0000000004AB0000-0x0000000004B52000-memory.dmpFilesize
648KB
-
memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-121-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB