Overview
overview
10Static
static
3Done/PROMAC_S.exe
windows7-x64
10Done/PROMAC_S.exe
windows10-1703-x64
10Done/PROMAC_S.exe
windows10-2004-x64
10Done/PROMAC_S.exe
windows11-21h2-x64
10Promac S.A...OC.exe
windows7-x64
10Promac S.A...OC.exe
windows10-1703-x64
10Promac S.A...OC.exe
windows10-2004-x64
10Promac S.A...OC.exe
windows11-21h2-x64
10Order_Spec...�.docx
windows7-x64
10Order_Spec...�.docx
windows10-1703-x64
1Order_Spec...�.docx
windows10-2004-x64
1Order_Spec...�.docx
windows11-21h2-x64
1PI7812367813.rtf
windows7-x64
10PI7812367813.rtf
windows10-1703-x64
1PI7812367813.rtf
windows10-2004-x64
1PI7812367813.rtf
windows11-21h2-x64
1Analysis
-
max time kernel
270s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
29/11/2023, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
Done/PROMAC_S.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Done/PROMAC_S.exe
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
Done/PROMAC_S.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Done/PROMAC_S.exe
Resource
win11-20231128-en
Behavioral task
behavioral5
Sample
Promac S.A.220172615415415.DOC.exe
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
Promac S.A.220172615415415.DOC.exe
Resource
win10-20231025-en
Behavioral task
behavioral7
Sample
Promac S.A.220172615415415.DOC.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral8
Sample
Promac S.A.220172615415415.DOC.exe
Resource
win11-20231128-en
Behavioral task
behavioral9
Sample
Order_Spec_COSMOS ALUMINIUM Α.Ε.docx
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
Order_Spec_COSMOS ALUMINIUM Α.Ε.docx
Resource
win10-20231020-en
Behavioral task
behavioral11
Sample
Order_Spec_COSMOS ALUMINIUM Α.Ε.docx
Resource
win10v2004-20231127-en
Behavioral task
behavioral12
Sample
Order_Spec_COSMOS ALUMINIUM Α.Ε.docx
Resource
win11-20231128-en
Behavioral task
behavioral13
Sample
PI7812367813.rtf
Resource
win7-20231023-en
Behavioral task
behavioral14
Sample
PI7812367813.rtf
Resource
win10-20231020-en
Behavioral task
behavioral15
Sample
PI7812367813.rtf
Resource
win10v2004-20231127-en
Behavioral task
behavioral16
Sample
PI7812367813.rtf
Resource
win11-20231128-en
General
-
Target
Order_Spec_COSMOS ALUMINIUM Α.Ε.docx
-
Size
16KB
-
MD5
eff79cccec3ac8ee1f5b44d6190b51b8
-
SHA1
669380f4d5e30ad225d89d85ddece6ea70b5f2a0
-
SHA256
adc77c376bb24286de600515aae37a4d4e1136c9c349ee6c36531e397522258e
-
SHA512
cf29e40c16a3afc5a005a21e7e89712d7cbb6f62314c094867631dcf37fadf6f49b7c62d4dad8f769678c16369ee8a013a4f9974cd1d5be1a3c00d4aa36e7683
-
SSDEEP
384:zyXeZPhWLs8PL8wi4OEwH8TIbE91r2fRpJYqviiO6A0MuS:zcef05P3DOqnYJnzvDO6A0Mb
Malware Config
Extracted
nanocore
1.2.2.0
rn72836.sytes.net:6696
127.0.0.1:6696
3f30b298-001f-4f08-b22c-606b0d3632bd
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-09-08T19:00:17.997607436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6696
-
default_group
rn728
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3f30b298-001f-4f08-b22c-606b0d3632bd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
rn72836.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 10 2912 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
pid Process 1644 plugman29036.exe 2268 plugman29036.exe -
Loads dropped DLL 1 IoCs
pid Process 2912 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" plugman29036.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA plugman29036.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1644 set thread context of 2268 1644 plugman29036.exe 33 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe plugman29036.exe File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe plugman29036.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 812 schtasks.exe 1792 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2912 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe 2268 plugman29036.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2268 plugman29036.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2268 plugman29036.exe Token: SeShutdownPrivilege 2024 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2912 wrote to memory of 1644 2912 EQNEDT32.EXE 30 PID 2912 wrote to memory of 1644 2912 EQNEDT32.EXE 30 PID 2912 wrote to memory of 1644 2912 EQNEDT32.EXE 30 PID 2912 wrote to memory of 1644 2912 EQNEDT32.EXE 30 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 1644 wrote to memory of 2268 1644 plugman29036.exe 33 PID 2268 wrote to memory of 812 2268 plugman29036.exe 34 PID 2268 wrote to memory of 812 2268 plugman29036.exe 34 PID 2268 wrote to memory of 812 2268 plugman29036.exe 34 PID 2268 wrote to memory of 812 2268 plugman29036.exe 34 PID 2268 wrote to memory of 1792 2268 plugman29036.exe 36 PID 2268 wrote to memory of 1792 2268 plugman29036.exe 36 PID 2268 wrote to memory of 1792 2268 plugman29036.exe 36 PID 2268 wrote to memory of 1792 2268 plugman29036.exe 36 PID 2024 wrote to memory of 1244 2024 WINWORD.EXE 38 PID 2024 wrote to memory of 1244 2024 WINWORD.EXE 38 PID 2024 wrote to memory of 1244 2024 WINWORD.EXE 38 PID 2024 wrote to memory of 1244 2024 WINWORD.EXE 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1244
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\plugman29036.exe"C:\Users\Admin\AppData\Roaming\plugman29036.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\plugman29036.exe"C:\Users\Admin\AppData\Roaming\plugman29036.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA43.tmp"4⤵
- Creates scheduled task(s)
PID:812
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC47.tmp"4⤵
- Creates scheduled task(s)
PID:1792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{320F262B-D90A-4C08-B3E8-B4328BA54246}.FSD
Filesize128KB
MD5e5231089fd720f96997b6d73c76f5ca2
SHA10b6d7cb397c40587249103da2b7500ac09ffd602
SHA2560259647df3dd912806671f7d91334dd65cb4fce2da656b0aa0db7aa1d7658a70
SHA512199781cdd1759079e12acb14cf5baf124842bda7d6fe00ac560233672d4a0bb03bda5f971dec02e20a999976bd11f90d59cc550f1a7f60aeb73f9cd06459fa66
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{320F262B-D90A-4C08-B3E8-B4328BA54246}.FSD
Filesize128KB
MD5d9f522bf00f91cb75ae657c9c2bdb688
SHA1e7e4cfc09675197abe52fe1cad41f0fcab1985db
SHA2566d6e772627a497bd190943e49a4ca19e06e3807a536ff6d8e6cadb447a20ddb6
SHA512eefd8062ac3404c285a52f44b58ecb3185d04fe86405368e8974c5fec759413937762cc9ce7ab8cc4a88f2b9457699c13946da8b6bd4cea85aab28f42b547bdc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5c4403a46e87f6bc1def1c1215b0b29e7
SHA1e0b35e09646770a7e9ec05b203c08c54742cb577
SHA2560f7f75cc25f3eb5adaeff95e65c3877e29baa03d442d740d378e853168f40c21
SHA512964161c0a7a745a16bfbbac4e9823aad570cef7b5eb0f5cde695f83541be8e4db3654f8b01679495eca8afcfc6f6cc4c7dff0a5ca7a986c4a66c000918df2915
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F1D73D2C-7160-4076-B0CF-0E79F9C72222}.FSD
Filesize128KB
MD5abd87ab771f04724de9247d59deb9428
SHA11fb3ff1e9e817449bf558444c1f871b007f84770
SHA2565d0a6c3da9337938c2ea1064c43fd1d1e1602acf8b15248d2a84edd6e464773a
SHA5127fc431b78cba0f13a59763b91a9facc510bfb75d4784f7d3f4e4a6ab9f3c6515265f257b7dfa4f306ecb40759d45cffcbec5544b47f17361e591c47c594b1ee9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\plugmanzx[1].doc
Filesize123KB
MD500bc84ea46871a6109ea431895212de6
SHA1a39d7050310f899c6f90a32965fdae7510b7dc6a
SHA2565cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977
SHA512ee41df4b47e29d6199f51554e975fab2a80ccb8f8a93880b37641cfd263a313a076580a6bd4f1bb497a41ef73092a3363dafe906ab722d0daff352e993afc360
-
Filesize
1KB
MD587d51fa1cc254273b019f5828ea7194f
SHA1692dd452d56c655e4f7a044a4c785bd82d3b2a57
SHA2561d50bc377216f796fafc72544836c5a2b9d6a51d0bc855c6ecf92b270dbc9f8c
SHA512477c1396421ccfc12d62a8f1c9744b7e9c695d98b12ea02fbd76a1b9760587a7075e24e512c19fdd305c5933e20bcc22e8d9848f7281a1927bea5a62292cada2
-
Filesize
1KB
MD5f852c93e083d04e21605d65da8fc6b36
SHA1cd0ee83b34e18e41a4f7f75c51285a81e502e966
SHA256fc83a4838c8f389314d453d7803a77d31926592ee8e8c1b8dfca71f8f68518c8
SHA512bcb3b0767f46c5882d812159fed9475bf0e88e62a986a14761cebb60b7ce2b71f7caca2c3fafaf9d03556c93d6fe37fa8053215618734a5121a84e08bfd6e250
-
Filesize
128KB
MD5a1a4a363ae65b33c9ededaebe55fa950
SHA11d3068b6a83dd026b931f179a809065c47161547
SHA256fb24b0ec0766431fdae19d248daa39500296c2a81efada953fe689aec78508ad
SHA512e9c3d3addd03c99e904069a0672ba2b7bbe52f6b9af71de4ba82a53e5fec5657f1770473a8f31128b1fb35fe5dee9dbb7aa663f9d7d6825eba68361436c8fa89
-
Filesize
20KB
MD549b0b353923a50ea5be62872d4c38ef0
SHA12eddbaebfd4cadd224682e4660ae8b399c4d1db6
SHA2565724d8bf7c254eda21c715fd6f7f7b6a6eb821658866c1e0b83ab3e0a6f93b32
SHA512d2cb59a0143f3555624ab11c58779c9444e5b507ae7053ca5710f0eab381a9629f0f69d9ab3d424103fdf66ace53a11e6451ffa22247d1dfe3563ac8c0a12410
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
654KB
MD5d0cc28fddecca60c208ae56d78014e95
SHA134069e3897de6509b630f9b65b067ae9a74baffc
SHA256e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA51268626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80
-
Filesize
654KB
MD5d0cc28fddecca60c208ae56d78014e95
SHA134069e3897de6509b630f9b65b067ae9a74baffc
SHA256e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA51268626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80
-
Filesize
654KB
MD5d0cc28fddecca60c208ae56d78014e95
SHA134069e3897de6509b630f9b65b067ae9a74baffc
SHA256e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA51268626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80
-
Filesize
654KB
MD5d0cc28fddecca60c208ae56d78014e95
SHA134069e3897de6509b630f9b65b067ae9a74baffc
SHA256e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA51268626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80
-
Filesize
654KB
MD5d0cc28fddecca60c208ae56d78014e95
SHA134069e3897de6509b630f9b65b067ae9a74baffc
SHA256e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA51268626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80