remcos | 2490954c3b255bfb810b9552a52e58607dab2b9b5c2e551b1d0934583c11a603

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29/06/2023, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Product Inquiry list_1.rtf
Size

40KB
MD5

1f17c3775584429ef126cd4afb0ad7ca
SHA1

87dd20bd063aeb6d345bb7e678f5feaf2d70c6f2
SHA256

2490954c3b255bfb810b9552a52e58607dab2b9b5c2e551b1d0934583c11a603
SHA512

52a97dd8bef40947659eedb2bd2c865c48b08d8fe3d8b7e399fd73f651219fa9fd9821a881abe47dc20a440ed047c7ecb50dc7e801d361081a8138a2bac5972c
SSDEEP

768:8Fx0XaIsnPRIa4fwJMl8h5YLzbw106i7cK5d2/cip0gLvMTeIQ3btj:8f0Xvx3EMQ6zbw6J7cAYcu0gLEeIspj

Score

10^/10

remcos log persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LOG

5.253.114.108:2022

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chromes.exe
copy_folder
chromes
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-456ENB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	976	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
884	papiodfd467651.exe
628	papiodfd467651.exe
752	chromes.exe
916	chromes.exe

Loads dropped DLL 4 IoCs

pid	Process
976	EQNEDT32.EXE
884	papiodfd467651.exe
628	papiodfd467651.exe
752	chromes.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	chromes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yienjscxhqmvrb = "C:\\Users\\Admin\\AppData\\Roaming\\oxtdmirbwg\\cluq.exe \"C:\\Users\\Admin\\AppData\\Roaming\\papiodfd467651.exe\""	papiodfd467651.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	papiodfd467651.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	papiodfd467651.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\	chromes.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\	papiodfd467651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	papiodfd467651.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 628	884	papiodfd467651.exe	33
PID 752 set thread context of 916	752	chromes.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
976	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1176	WINWORD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
884	papiodfd467651.exe
752	chromes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1176	WINWORD.EXE
1176	WINWORD.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 884	976	EQNEDT32.EXE	31
PID 976 wrote to memory of 884	976	EQNEDT32.EXE	31
PID 976 wrote to memory of 884	976	EQNEDT32.EXE	31
PID 976 wrote to memory of 884	976	EQNEDT32.EXE	31
PID 884 wrote to memory of 628	884	papiodfd467651.exe	33
PID 884 wrote to memory of 628	884	papiodfd467651.exe	33
PID 884 wrote to memory of 628	884	papiodfd467651.exe	33
PID 884 wrote to memory of 628	884	papiodfd467651.exe	33
PID 884 wrote to memory of 628	884	papiodfd467651.exe	33
PID 628 wrote to memory of 752	628	papiodfd467651.exe	35
PID 628 wrote to memory of 752	628	papiodfd467651.exe	35
PID 628 wrote to memory of 752	628	papiodfd467651.exe	35
PID 628 wrote to memory of 752	628	papiodfd467651.exe	35
PID 752 wrote to memory of 916	752	chromes.exe	36
PID 752 wrote to memory of 916	752	chromes.exe	36
PID 752 wrote to memory of 916	752	chromes.exe	36
PID 752 wrote to memory of 916	752	chromes.exe	36
PID 752 wrote to memory of 916	752	chromes.exe	36
PID 1176 wrote to memory of 1416	1176	WINWORD.EXE	37
PID 1176 wrote to memory of 1416	1176	WINWORD.EXE	37
PID 1176 wrote to memory of 1416	1176	WINWORD.EXE	37
PID 1176 wrote to memory of 1416	1176	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Product Inquiry list_1.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1416

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Roaming\papiodfd467651.exe
  "C:\Users\Admin\AppData\Roaming\papiodfd467651.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Roaming\papiodfd467651.exe
    "C:\Users\Admin\AppData\Roaming\papiodfd467651.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\ProgramData\chromes\chromes.exe
      "C:\ProgramData\chromes\chromes.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\ProgramData\chromes\chromes.exe
        
        "C:\ProgramData\chromes\chromes.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chromes\chromes.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzpynfhc.kke

Filesize
7KB

MD5
2da2f9b58155b21faccd9352055bc74d

SHA1
6099e2b423926ba86fd13297f6944a7ff88dd34f

SHA256
c701d68d498da31f667d4878936ca9ac7d17b5c6b4c1bcbf9d26ce96ebc98911

SHA512
7804999a641b751e2793c3bdb51dd29dd8261d5cc6ac835a29f2de71c7b0825a698debce789eb61dfa7845d3f9756f31fc92b9b53128fb5f3ba7d46062a42a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj2475.tmp\jzowju.dll

Filesize
4KB

MD5
ad28a4eb8b1c753de37dd6fb281e6e29

SHA1
a9a95e4033e96ce2dd6d542a7d8cb16175aed1d0

SHA256
7a613cced366b6345cd15449036a5ab7559058ca2988bbb267e655c71438cf33

SHA512
9c610092d8fac325058f02b4e7928c3123234f0188507841531deda77fa6109ae7216b9a38aaae3a3bb2bdf0cb2e3bad4b7d07bc958df4122bf8e7f7a87e7011

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzvgyrxhu.tfc

Filesize
501KB

MD5
9253abb755a9ba6a746031aee8d56236

SHA1
ca16aa47369feb257911389414b80765691570fc

SHA256
f8d7fff833325442cf0e4cf6bb5d8457bff4d55d3de1b04115bd681ac903376f

SHA512
e73ab6277898b14fc5289478c9bd19c2cd960eeb8f300038af9d0b27d36aa8bb2e6fa2a85a4ef2a9a1a79cb9c0a2e243903d947cfdfec838020d3412d0b3ccab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9f28ee204cf2d753dfd62a3e184e6295

SHA1
a5f217cca9a45a79116281b373deb49d8478fea7

SHA256
720c7ea3440037351666367e2d3d13840677768f2e18ca11c8596bf84c11f828

SHA512
5445fdfb98292612bab295823c8b7f038a701aa08040e2368c949f30686b17fd523b16288706692ed39e3774302b3cb0ea87c858dd3524a75bc6c8b7b0b588a7

Download Submit
C:\Users\Admin\AppData\Roaming\papiodfd467651.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\Users\Admin\AppData\Roaming\papiodfd467651.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\Users\Admin\AppData\Roaming\papiodfd467651.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
C:\Users\Admin\AppData\Roaming\papiodfd467651.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
\ProgramData\chromes\chromes.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2475.tmp\jzowju.dll

Filesize
4KB

MD5
ad28a4eb8b1c753de37dd6fb281e6e29

SHA1
a9a95e4033e96ce2dd6d542a7d8cb16175aed1d0

SHA256
7a613cced366b6345cd15449036a5ab7559058ca2988bbb267e655c71438cf33

SHA512
9c610092d8fac325058f02b4e7928c3123234f0188507841531deda77fa6109ae7216b9a38aaae3a3bb2bdf0cb2e3bad4b7d07bc958df4122bf8e7f7a87e7011

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\jzowju.dll

Filesize
4KB

MD5
ad28a4eb8b1c753de37dd6fb281e6e29

SHA1
a9a95e4033e96ce2dd6d542a7d8cb16175aed1d0

SHA256
7a613cced366b6345cd15449036a5ab7559058ca2988bbb267e655c71438cf33

SHA512
9c610092d8fac325058f02b4e7928c3123234f0188507841531deda77fa6109ae7216b9a38aaae3a3bb2bdf0cb2e3bad4b7d07bc958df4122bf8e7f7a87e7011

Download Submit
\Users\Admin\AppData\Roaming\papiodfd467651.exe

Filesize
527KB

MD5
4daef76971794649d0c0bcc97a9fd246

SHA1
49522f33f7f2852d9637c98d560437b4d88adcd5

SHA256
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

SHA512
3d83321a39384eb101ab261fc91444b400cae918d4422b8f298cda8eed73dad155ca9324235ba9e6a47316017498ad5fb6cde0111f3a111786aa47679a6b9a0a

Download Submit
memory/628-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/628-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/628-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/884-75-0x0000000001D80000-0x0000000001D82000-memory.dmp

Filesize
8KB

Download
memory/916-123-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-108-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-107-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-109-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-110-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-112-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-113-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-114-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-116-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-117-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-119-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-124-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-125-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-126-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-128-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-130-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-133-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-145-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-148-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-149-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-152-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-158-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-159-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-160-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-162-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/916-163-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1176-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads