Overview
overview
4Static
static
1apk_1697589273998.apk
android-9-x86
1apk_1697589273998.apk
android-11-x64
1D1F6qdxW5G...YY.xls
windows7-x64
1D1F6qdxW5G...YY.xls
windows10-2004-x64
1DoaeSzkHj1...CX.xls
windows7-x64
1DoaeSzkHj1...CX.xls
windows10-2004-x64
1E.bat
windows7-x64
1E.bat
windows10-2004-x64
1MnFM6Eg6RA...iS.pdf
windows7-x64
1MnFM6Eg6RA...iS.pdf
windows10-2004-x64
1NdP63IdfX8...iz8.py
windows7-x64
3NdP63IdfX8...iz8.py
windows10-2004-x64
3Q.doc
windows7-x64
4Q.doc
windows10-2004-x64
1QrjLyBiXj1...1.docx
windows7-x64
4QrjLyBiXj1...1.docx
windows10-2004-x64
1R.bat
windows7-x64
1R.bat
windows10-2004-x64
1SiL3QjQCkz...Jr.pdf
windows7-x64
1SiL3QjQCkz...Jr.pdf
windows10-2004-x64
1T2Rzf6tyOo...FX.xls
windows7-x64
1T2Rzf6tyOo...FX.xls
windows10-2004-x64
1Z.bat
windows7-x64
1Z.bat
windows10-2004-x64
1base_fragment.sh
windows7-x64
3base_fragment.sh
windows10-2004-x64
3base_vertex.sh
windows7-x64
3base_vertex.sh
windows10-2004-x64
3default_fragment.sh
windows7-x64
3default_fragment.sh
windows10-2004-x64
3default_vertex.sh
windows7-x64
3default_vertex.sh
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
29-10-2023 08:44
Static task
static1
Behavioral task
behavioral1
Sample
apk_1697589273998.apk
Resource
android-x86-arm-20231023-en
android-9-x86
Behavioral task
behavioral2
Sample
apk_1697589273998.apk
Resource
android-x64-arm64-20231023-en
android-11-x64
Behavioral task
behavioral3
Sample
D1F6qdxW5GrWePWyH3ZERux6tYVsDN3Mgr7j9IwWtbMyV775q29urqgKSooIlkMobGesFwnLYjiA55EYY9pg1CtRxEMyjJPfbQYY.xls
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
D1F6qdxW5GrWePWyH3ZERux6tYVsDN3Mgr7j9IwWtbMyV775q29urqgKSooIlkMobGesFwnLYjiA55EYY9pg1CtRxEMyjJPfbQYY.xls
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
DoaeSzkHj1f8BkYnLwzVGgeCfJxVq2nBjTkuCwE5fZgnBZb1ltkJxGujup2BFCTGZUli5hjnrgU2hUXJINPBC5zHreIlJ6dYkZCX.xls
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral6
Sample
DoaeSzkHj1f8BkYnLwzVGgeCfJxVq2nBjTkuCwE5fZgnBZb1ltkJxGujup2BFCTGZUli5hjnrgU2hUXJINPBC5zHreIlJ6dYkZCX.xls
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
E.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral8
Sample
E.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
MnFM6Eg6RAJGskH5MVBrggN8GybYwC7h2vvZcAM9bVrIWiAmVRWjleBEFpFIFk6NS1PDiuAf8FXfUDhJiLETkjV8hvbeJTgmeKiS.pdf
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral10
Sample
MnFM6Eg6RAJGskH5MVBrggN8GybYwC7h2vvZcAM9bVrIWiAmVRWjleBEFpFIFk6NS1PDiuAf8FXfUDhJiLETkjV8hvbeJTgmeKiS.pdf
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
NdP63IdfX81prebRWMpIiU9v2IRDgvP9NtPkXEXvSwfpFnEIPM7P2j1Zen3S29JRUlYJEWss77o35aeq6kluEtX2JL2h5uAPPiz8.py
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral12
Sample
NdP63IdfX81prebRWMpIiU9v2IRDgvP9NtPkXEXvSwfpFnEIPM7P2j1Zen3S29JRUlYJEWss77o35aeq6kluEtX2JL2h5uAPPiz8.py
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Q.doc
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral14
Sample
Q.doc
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
QrjLyBiXj1hnhZgWipnbbADw3IqN49wREgzyroAZDvFplQZTCRwQ9fH93bn4DjEBlA4AJU4yncfn1XkxOMdGBSJ4YzDGpM6Wmiv1.docx
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral16
Sample
QrjLyBiXj1hnhZgWipnbbADw3IqN49wREgzyroAZDvFplQZTCRwQ9fH93bn4DjEBlA4AJU4yncfn1XkxOMdGBSJ4YzDGpM6Wmiv1.docx
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
R.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral18
Sample
R.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
SiL3QjQCkze2u1t1ThVBqUXn7A25vgFxDlydf8nqCccIJIGX2OH8CGMm1swYHgPVnlWVRGExaj8wwWCLgfqUGNYuwkWh9WSHQHJr.pdf
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral20
Sample
SiL3QjQCkze2u1t1ThVBqUXn7A25vgFxDlydf8nqCccIJIGX2OH8CGMm1swYHgPVnlWVRGExaj8wwWCLgfqUGNYuwkWh9WSHQHJr.pdf
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
T2Rzf6tyOobEgASLGrZiTDPZyScbYJBh2cicybU5vTElA9mK2kXEBbcbMPCPRtWdPntbV8Jd7g4rUpcqXdwIVuVCfmrUMM8EE3FX.xls
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral22
Sample
T2Rzf6tyOobEgASLGrZiTDPZyScbYJBh2cicybU5vTElA9mK2kXEBbcbMPCPRtWdPntbV8Jd7g4rUpcqXdwIVuVCfmrUMM8EE3FX.xls
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Z.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral24
Sample
Z.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
base_fragment.sh
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral26
Sample
base_fragment.sh
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
base_vertex.sh
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral28
Sample
base_vertex.sh
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
default_fragment.sh
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral30
Sample
default_fragment.sh
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
default_vertex.sh
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral32
Sample
default_vertex.sh
Resource
win10v2004-20231020-en
windows10-2004-x64
General
-
Target
Q.doc
-
Size
160B
-
MD5
abaf29678fcbcd3ed3ce52515d57d006
-
SHA1
41f5f851e88843bfd3b87ed903bcd85950631596
-
SHA256
ca2b5296fccde1a2a10f02c8d8e62fac3ed7929720f1c3e920964a1f416c8740
-
SHA512
21ba294ac7030ddcc273891fd15c2d994ecbb8e1939a000ae3915928f55e6f6e834d56e83e07de09c72caaf1d037b45ecc2a4d4156992b2e1e773f9e0d9f3289
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1944 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE 1944 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2752 1944 WINWORD.EXE 32 PID 1944 wrote to memory of 2752 1944 WINWORD.EXE 32 PID 1944 wrote to memory of 2752 1944 WINWORD.EXE 32 PID 1944 wrote to memory of 2752 1944 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Q.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD55f3f8bbd44aa5beee4419db19de72517
SHA1af00cca623697ebabd1b2f1d7c822afd792ffa6c
SHA256c88b97235bee78ac214ec8ecf7170c0bd8b224b1f8f3f407cfc76e9befe10636
SHA5121c1c0042edecf686445ff2476e43a7c1dc8fc6dc4d58b2ceec40215c7205ca6dccbf626d8c08c034b9a575f54a93a4f607e3814f7a0ba8e3e7172953d1d2f496