remcos | 5564cb2776b7336df157a5d8133543aa7a55c59550d9c8095f660e9945f4d93f

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 09:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RO10098.docx
Size

292KB
MD5

473b3909e911de8c27ab621986c02d0e
SHA1

bd0366e2416de0fa75b77414b82f31e7ede37255
SHA256

5564cb2776b7336df157a5d8133543aa7a55c59550d9c8095f660e9945f4d93f
SHA512

bb41b10cc26a8426beba8285488a99898cd9b4a7a7e4abe4c99bb29444b3a4af3b72238fb7e0b7dd17741931a057edc834345d0da79a738e2817579306404cd4
SSDEEP

6144:yi7n5JRXQnl81RkVsBIPs5eK9U4zOu/lpW+1a5Uvk6pfo4sCy+ltOOCr0:yi75Ya1RkVTsr3OypRaOxJo4sUltOtr0

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

pekonomiana.duckdns.org:30491

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EORWFM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	1588	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
556	cleanmgrr.exe
1884	YY.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	EQNEDT32.EXE
556	cleanmgrr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 1184	1884	YY.exe	39

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1588	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2044	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	cleanmgrr.exe
Token: SeShutdownPrivilege	2044	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2044	WINWORD.EXE
2044	WINWORD.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 556	1588	EQNEDT32.EXE	31
PID 1588 wrote to memory of 556	1588	EQNEDT32.EXE	31
PID 1588 wrote to memory of 556	1588	EQNEDT32.EXE	31
PID 1588 wrote to memory of 556	1588	EQNEDT32.EXE	31
PID 2044 wrote to memory of 1420	2044	WINWORD.EXE	33
PID 2044 wrote to memory of 1420	2044	WINWORD.EXE	33
PID 2044 wrote to memory of 1420	2044	WINWORD.EXE	33
PID 2044 wrote to memory of 1420	2044	WINWORD.EXE	33
PID 556 wrote to memory of 1884	556	cleanmgrr.exe	34
PID 556 wrote to memory of 1884	556	cleanmgrr.exe	34
PID 556 wrote to memory of 1884	556	cleanmgrr.exe	34
PID 556 wrote to memory of 1884	556	cleanmgrr.exe	34
PID 556 wrote to memory of 1484	556	cleanmgrr.exe	35
PID 556 wrote to memory of 1484	556	cleanmgrr.exe	35
PID 556 wrote to memory of 1484	556	cleanmgrr.exe	35
PID 556 wrote to memory of 1484	556	cleanmgrr.exe	35
PID 1484 wrote to memory of 1068	1484	cmd.exe	37
PID 1484 wrote to memory of 1068	1484	cmd.exe	37
PID 1484 wrote to memory of 1068	1484	cmd.exe	37
PID 1484 wrote to memory of 1068	1484	cmd.exe	37
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39
PID 1884 wrote to memory of 1184	1884	YY.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RO10098.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1420

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Public\cleanmgrr.exe
  "C:\Users\Public\cleanmgrr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Public\cleanmgrr.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb47c189b734cdc65e394e8a10377ca5

SHA1
4fea69caf655fb2d770c0b345f7d461b4202e641

SHA256
136eb8883a68037f5fbcd18fa429192c0e3c6326c274f22ec95373eb43a1a040

SHA512
03d4de269fd2945be8a350ad8022288366e15b6e3d11c4394f5fd7f6d6913c3fdde25951b0bd3d407318f79a222dc299a114570c0fc2ea2ac7eb2ab39301b6f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{545E0557-29AD-40B5-9FC8-FAC32941C9E1}.FSD

Filesize
128KB

MD5
7a42cd7b252974340f27fcfea70218eb

SHA1
e11b2ec1607a9079c41fe38cc361dcf180750df5

SHA256
7097dab4101cd7fdd962af7a758f938acd318b7304ddf66495b0b997f0431a2f

SHA512
4bf8958fa6ae2eceb8588cdde6fdf3f044e9951ab5f1fe9afa57116ba480182a11cd53f49757adf60c07a075c2a571936d0a6053046e441e0e6329c0c80d67fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
81fdd4cd91ee0563006d088e55d5cd4d

SHA1
859e9ccc0dcbb4f27c6eabf281d166a193255890

SHA256
c69a693d136bee2ef08d216fc0725c9df4d10ef7d53c9ad8bc02aee93c1f71ca

SHA512
5be62f2e7aee4f1d2ee3f2543143c3eb2527512726c3d8749b3e01cf8345acb2e0a84cfe87d30071fef00601294f10f97a4f1259eb2b757775246a5e89bda1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{42786EE7-12DA-4E3F-BDF5-D3DD396728E9}.FSD

Filesize
128KB

MD5
b97cdfb041441cfaac76aec4b66251e1

SHA1
20531af5e7866d2f623928cec32013de566e5f06

SHA256
15cd09d9a0c37bd5a75f0ce414184c6abbfb994c5d680a850a54e03b56fbecbd

SHA512
1bf43ee74f17b8ac17d303472c8db75bc8e7f05e7b40599aaa9a23fa7ebcf7c9c28758436cc1d121d8dd87ba8bfe6cd8d7ed03171c68cf9f9ae83b9312e4252f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\fbfbfbfbfbfbfbfbfbfbfbfbffbf####################fbfbfbfbfb[1].doc

Filesize
23KB

MD5
7e59937dcacd711b717c66c93b90e398

SHA1
aa234257efec0d8e3aed263c657ffb1b5100c293

SHA256
a6ab84a16ff322997f35be4f417d8989d66fee60fa075477892e14b5c631ffd2

SHA512
233aa6885cebd6b0e035ee1ae40b00a6d40f77ad7614c031989b337d74916442f92dfe8f9e0f61f2c48fb105d0140446296a68418908cc1ce4965c82e67b5674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B50FDEF.dat

Filesize
1KB

MD5
a19e3005f2cf4408c6a0ef18419fd9cf

SHA1
2b2fe21480eae6c5bbc3bdc736e1186815fecffc

SHA256
01188acaff9047e8b0e6293aa34350f74b8b27f425323323b3ebd16e0284a26e

SHA512
f2c3dcc37e1868612cf73c976385c00d11c0b52db3846ab8a19d2fdf9cc0a0ec9e704da7607bb56076de7c57743f581d4ba56924994a89e692d20fe16b7ee7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8173.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8310.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A0ED902-3001-477A-92AB-16BF44F81309}

Filesize
128KB

MD5
0ae139ec6d48505bcf0b4bacd7c42cb9

SHA1
de35bb2c382173570e236ca181952a81095d25ff

SHA256
93cfeb004676c9292a38bfbb2e9355d9c3fd51eaa8a45f9c994299ccc23194d8

SHA512
03de22835376e18e7fbfb79ed467d1f162ef385243caac118928cfb6eaf5e5748cb320cc022fd9c55e0f557f2447ea90ca641f161c217b0debfd42ca4c055d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
ab150cbfbdf0c2108ddb1b98a7e24ce0

SHA1
2f031c58578c8f458da69c942e44de84ec504340

SHA256
5778377d1a3a3b1d3a117fa74d35a1844e72c906e8b87e487f500185d3faf0ac

SHA512
ffff196a90771e4f90919f19e281c4667f003f1e37599e494541dfcc459dc3b2da63e1c718fbc5f81f154c3c373ca1c05bf016224a195653cee2bcce3a57ec12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Public\cleanmgrr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
C:\Users\Public\cleanmgrr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
C:\Users\Public\cleanmgrr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
\Users\Public\cleanmgrr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
memory/556-296-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/556-301-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/1184-323-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-333-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-380-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-379-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-321-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-322-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-378-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-324-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-325-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-326-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-327-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-328-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-329-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1184-330-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-332-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-377-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-334-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-335-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-338-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-339-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-340-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-343-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-344-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-347-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-348-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1184-349-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1884-311-0x0000000000BC0000-0x0000000000C44000-memory.dmp

Filesize
528KB

Download
memory/1884-318-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/1884-320-0x000000001BC30000-0x000000001BCB0000-memory.dmp

Filesize
512KB

Download
memory/1884-319-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2044-374-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download