Analysis
-
max time kernel
148s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 05:16
Static task
static1
Behavioral task
behavioral1
Sample
39669a47b553f5d6b3ed6b730d7852f9.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
39669a47b553f5d6b3ed6b730d7852f9.rtf
Resource
win10v2004-20230220-en
General
-
Target
39669a47b553f5d6b3ed6b730d7852f9.rtf
-
Size
22KB
-
MD5
39669a47b553f5d6b3ed6b730d7852f9
-
SHA1
74b365ae0dc316eee5de6df5911019cabe512efb
-
SHA256
8e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d
-
SHA512
1efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b
-
SSDEEP
384:d8eKvpZlj7bLrJU/Wx1mEIZBFhqeq/d7SZ7DPvZ5pfiZcp2k4V7qQsqG14uT+hS1:dBeZljnLrJUOx180luZfp3p2kA7q1qED
Malware Config
Extracted
formbook
4.1
gtt8
42taijijian.com
rehnimiyanales.com
cst247.shop
usdt09.tech
lennartjahn.com
aaabestcbd.com
marketing-digital-france-2.xyz
be4time.com
slotyfly.com
parimaladragonflywellness.life
phonereda.com
01076.win
thehoundlounge.info
high-vent.co.uk
14thfeb.com
onlyforks.info
joseeandtim.com
mylegoclub.com
iuser-findmy.info
uninassaupolopinheiro.com
tgomubira.shop
nebulanurseries.com
userfirstinteractive.com
jttobrands.com
e-pasport.com
xfinity-emailreconfirm.com
flora-block.com
crsplife.com
yourtechhousecall.com
lorrainedavistraining.com
thrivixcollection.com
quetthesieure.com
enrysisland.tech
himedya1.shop
luteblush.shop
caishen2.top
bestsellernouveau.com
casnation.com
shesurfbyronbay.com
cm98g0.com
continuumgblsupport.com
indianrailways.tech
findfetishcams.com
terracarepropertyservices.com
sav-client-chronopost.info
kedaionline250.shop
FORUM-ROMANUM.NET
dico-live.com
cabanaatthepointe.com
kuendubeachresort.com
biodigitalhealthcare.net
terompa.site
yongbangsd.com
hana-life2525.com
vmagaz.fun
meuble-chaussure-entree.site
bibaha.live
mocktailmasters.fun
shielings-unmusical.click
plane-jaynes.com
miracle-island.com
tilescitybd.com
respondaquiz.online
municipiodesombrerete.com
housy.host
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/392-88-0x0000000000400000-0x0000000001462000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 884 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
clean_registry.execlean_registry.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe clean_registry.exe -
Executes dropped EXE 1 IoCs
Processes:
clean_registry.exepid process 1612 clean_registry.exe -
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEclean_registry.execlean_registry.exeWerFault.exepid process 884 EQNEDT32.EXE 1612 clean_registry.exe 1612 clean_registry.exe 392 clean_registry.exe 1652 WerFault.exe 1652 WerFault.exe 1652 WerFault.exe 1652 WerFault.exe 1652 WerFault.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
clean_registry.exepid process 392 clean_registry.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
clean_registry.execlean_registry.exepid process 1612 clean_registry.exe 392 clean_registry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
clean_registry.exedescription pid process target process PID 1612 set thread context of 392 1612 clean_registry.exe clean_registry.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1652 392 WerFault.exe clean_registry.exe -
NSIS installer 22 IoCs
Processes:
resource yara_rule C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 C:\Users\Public\clean_registry.exe nsis_installer_1 C:\Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 \Users\Public\clean_registry.exe nsis_installer_1 \Users\Public\clean_registry.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1048 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
clean_registry.exepid process 1612 clean_registry.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1048 WINWORD.EXE 1048 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEclean_registry.execlean_registry.exedescription pid process target process PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 884 wrote to memory of 1612 884 EQNEDT32.EXE clean_registry.exe PID 1048 wrote to memory of 1280 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1280 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1280 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1280 1048 WINWORD.EXE splwow64.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 1612 wrote to memory of 392 1612 clean_registry.exe clean_registry.exe PID 392 wrote to memory of 1652 392 clean_registry.exe WerFault.exe PID 392 wrote to memory of 1652 392 clean_registry.exe WerFault.exe PID 392 wrote to memory of 1652 392 clean_registry.exe WerFault.exe PID 392 wrote to memory of 1652 392 clean_registry.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\39669a47b553f5d6b3ed6b730d7852f9.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\clean_registry.exe"C:\Users\Public\clean_registry.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 7404⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5c7109413f0159e8ee21bec815626e681
SHA1a14ea7dec30374a5ed69f09ac76d39e64eb4b34b
SHA2565ef77d2a042a9c34cc2a87ebd51dc4aa9b09de91645cb20e8c3b14da91e7f9e1
SHA5121dc2f5d8069835834fae1d8f48787f65ec7c2521d5395b9d8be1b2a82dff9be629d74e661122633aa9853a75fa3f058b0b25890220ceff4d1866b8a2c0c7ce43
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
C:\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Admin\AppData\Local\Temp\nsjA68E.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
\Users\Public\clean_registry.exeFilesize
285KB
MD5a413d04a39c86bd0b4ca116227d20a30
SHA10d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA2569d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
memory/392-87-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/392-88-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/392-89-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/392-86-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/392-85-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/392-94-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/1048-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1048-123-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-81-0x0000000002D20000-0x0000000005C58000-memory.dmpFilesize
47.2MB
-
memory/1612-80-0x0000000002D20000-0x0000000005C58000-memory.dmpFilesize
47.2MB