Overview
overview
10Static
static
10Challenge_...m.docx
windows7-x64
4Challenge_...m.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1Challenge_...y.docx
windows7-x64
4Challenge_...y.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
1Challenge_...1.docx
windows10-2004-x64
1tools/numb...ing.py
ubuntu-18.04-amd64
1tools/numb...ing.py
debian-9-armhf
1tools/numb...ing.py
debian-9-mips
1tools/numb...ing.py
debian-9-mipsel
1decoder_add1.py
ubuntu-18.04-amd64
1decoder_add1.py
debian-9-armhf
1decoder_add1.py
debian-9-mips
1decoder_add1.py
debian-9-mipsel
1decoder_ah.py
ubuntu-18.04-amd64
1decoder_ah.py
debian-9-armhf
1decoder_ah.py
debian-9-mips
1decoder_ah.py
debian-9-mipsel
1decoder_chr.py
ubuntu-18.04-amd64
1decoder_chr.py
debian-9-armhf
1decoder_chr.py
debian-9-mips
1decoder_chr.py
debian-9-mipsel
1decoder_rol1.py
ubuntu-18.04-amd64
1decoder_rol1.py
debian-9-armhf
1decoder_rol1.py
debian-9-mips
1decoder_rol1.py
debian-9-mipsel
1decoder_xor1.py
ubuntu-18.04-amd64
1decoder_xor1.py
debian-9-armhf
1decoder_xor1.py
debian-9-mips
1decoder_xor1.py
debian-9-mipsel
1Analysis
-
max time kernel
1558s -
max time network
1558s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 02:26
Static task
static1
Behavioral task
behavioral1
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win10v2004-20231127-en
Behavioral task
behavioral5
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
tools/numbers-to-string.py
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral10
Sample
tools/numbers-to-string.py
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral11
Sample
tools/numbers-to-string.py
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral12
Sample
tools/numbers-to-string.py
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral13
Sample
decoder_add1.py
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral14
Sample
decoder_add1.py
Resource
debian9-armhf-20231130-en
Behavioral task
behavioral15
Sample
decoder_add1.py
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral16
Sample
decoder_add1.py
Resource
debian9-mipsel-20231130-en
Behavioral task
behavioral17
Sample
decoder_ah.py
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral18
Sample
decoder_ah.py
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral19
Sample
decoder_ah.py
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral20
Sample
decoder_ah.py
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral21
Sample
decoder_chr.py
Resource
ubuntu1804-amd64-20231130-en
Behavioral task
behavioral22
Sample
decoder_chr.py
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral23
Sample
decoder_chr.py
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral24
Sample
decoder_chr.py
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral25
Sample
decoder_rol1.py
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral26
Sample
decoder_rol1.py
Resource
debian9-armhf-20231130-en
Behavioral task
behavioral27
Sample
decoder_rol1.py
Resource
debian9-mipsbe-20231130-en
Behavioral task
behavioral28
Sample
decoder_rol1.py
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral29
Sample
decoder_xor1.py
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral30
Sample
decoder_xor1.py
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral31
Sample
decoder_xor1.py
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral32
Sample
decoder_xor1.py
Resource
debian9-mipsel-20231130-en
General
-
Target
Challenge_FIles/Work_From_Home_Survey.docx
-
Size
26KB
-
MD5
41dacae2a33ee717abcc8011b705f2cb
-
SHA1
4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
-
SHA256
84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
-
SHA512
11f7177dc3c8a804ff6450477e15aadd20fddac98205008db25a4f6ef69a54b7cb7c9dd0d7bdf1b1d317f306482d86ad5ef150530194de7d8dbe344203962648
-
SSDEEP
768:8HVoVneOa0HD/vb9EVoiJWq8UCei96T8vuX3m86RAFvg5e:8QVvbvb9wnIq8OitP88eY5e
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\trendparlye.com\wiki0509.html!x-usc:http:\trendparlye.com\wiki0509.html WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2880 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 2880 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2880 WINWORD.EXE 2880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2880 wrote to memory of 1376 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 1376 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 1376 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 1376 2880 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Work_From_Home_Survey.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C9B0A85A-1D50-41BC-A54F-FCB178FEAC5C}.FSDFilesize
128KB
MD53a11bb25fa9eaeaf3e4c382fde28e5e4
SHA1e6e86f64cec568cedd175b42f1c962463bbe9bcb
SHA25633f0b52d177cf548ccd65691bb76ee2165e5cfed645bd0e2e3dbc73aaae3623c
SHA512a4e50605c33ce1c0d8afe03e20638ec79d0fd1edb098e8a957fb68e19f793ce2e6fe92e67b7de4d533169c113e458d5592fef0eaf15f2d84f9a4140bd6107422
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5cd8f1e8caf7d1743fba459183aea9ea2
SHA1b13ffac6954e0cb2d7b62cbaca5387a95b1b9978
SHA256ac0bb8088c5d4cd99dc8b9d0db362b9a91701eb580c98d04b2f3d1b6b94e2533
SHA512a268952c0b8b544e7e298af62d07fc0eadd5e941cd57ac2d77b46fabbc5712495a232fa4c7be034aecefbeafcbf95ce7fabed45465c1c54363e68372799884cb
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5af301fb53080de633743e33118156bc9
SHA1a5a05e0944b9b531d2aa207227278404fe8bee87
SHA2560c6593f1b57dcb5f0e814b7554fa9b1f2fa4c1b3c7766697da6a10e85f7ba6c3
SHA512e1738a3b8a9fc22d911ade6fdb42e5a92f86690fb00c2b53c6c550c922013124e2ec1f9a44b17dfd0fa338257aacf605f2bb4b967dd059d20cf6f61920550022
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D2FDB8DE-C48E-4514-9CBD-7A4C26C50823}.FSDFilesize
128KB
MD54e38527c7b124257e602fc28e46c0cac
SHA13d368942811b348a2135dae09bbe6a1a53a48082
SHA256a4bd7744d3296b03729b26966759ae663909344beae5375b8bbdd4eb2ca7239e
SHA5129126bde21c9169e799e5f7874f2f3f0c7ddb354625a6b4b8eddbcbb68ed323fa87e2dcc45343d006a147b8be187c59b395c7f7fe6eb742b77d5801bb207d7d4e
-
C:\Users\Admin\AppData\Local\Temp\{2B808E9E-67B3-4BB3-A917-A47B1996B852}Filesize
128KB
MD56b3699c8ff78118227e33ff5ee4ddd52
SHA18835d4f066d62ef60a29bb6f411bf4c5b67863fb
SHA2562e6a993490f0adaf33c9b2505598f5f2834ba478922b285579d32c6eedd7d6db
SHA5126489c5dd3583f52fab3afed784e958f3de92573291ec67211bd38677256cb52a17b877587e7506d1fab7695d84d2fb07a4e843a8ad99792aec3d859502b70d0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5ae784f78ce00de4beb5b1db6895f259e
SHA15564f4e4bd6fc3db2e13e5144ba6433ff8d844e5
SHA25614002f23ccc1892c4e7bfcb0a304a4193ad32831638b7a9cf493eca50cb5f5b5
SHA512a8c3e6850adfc1cddec4c5b4d6653a0140d994610abbaee7b7acaa678c76e4e5a57037c5433bf0ee00e4c0df2a339d5cb449e89fb933795af126af02ab6d7cc5
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/2880-0-0x000000002F0C1000-0x000000002F0C2000-memory.dmpFilesize
4KB
-
memory/2880-2-0x00000000716FD000-0x0000000071708000-memory.dmpFilesize
44KB
-
memory/2880-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2880-62-0x00000000716FD000-0x0000000071708000-memory.dmpFilesize
44KB
-
memory/2880-101-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2880-102-0x00000000716FD000-0x0000000071708000-memory.dmpFilesize
44KB