Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 04:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05d235c721556923fdfe9af09a5451b2.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
05d235c721556923fdfe9af09a5451b2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
05d235c721556923fdfe9af09a5451b2.exe
-
Size
45KB
-
MD5
05d235c721556923fdfe9af09a5451b2
-
SHA1
b51b65f0f1edad8d91d27a4c6492760c32f83a74
-
SHA256
47bbbdf5d71a41b7e75d55eaa04c544a5e582de9e6cfc418e54c91ca186a6e27
-
SHA512
e7dfed4527d03e61d781f2a5f5bb0faf865ebfa55e0417e19876febfbd333c5bf4a972a754159a6a3be0789f56e92a004d8b5578766abe72f0f7076736423cab
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXn:EOxyeFo6NPCAosxYyXdF5oy3VoKn
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 05d235c721556923fdfe9af09a5451b2.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 05d235c721556923fdfe9af09a5451b2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 05d235c721556923fdfe9af09a5451b2.exe -
Executes dropped EXE 12 IoCs
pid Process 1540 SVCHOST.EXE 3268 SVCHOST.EXE 2340 SVCHOST.EXE 3820 SVCHOST.EXE 4236 SVCHOST.EXE 2744 SPOOLSV.EXE 4480 SVCHOST.EXE 4476 SVCHOST.EXE 4080 SPOOLSV.EXE 2240 SPOOLSV.EXE 1384 SVCHOST.EXE 208 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 05d235c721556923fdfe9af09a5451b2.exe File opened for modification F:\Recycled\desktop.ini 05d235c721556923fdfe9af09a5451b2.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\X: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\H: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\I: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\K: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\O: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\V: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\L: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\G: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\R: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\S: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Q: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Y: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\M: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\N: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\W: 05d235c721556923fdfe9af09a5451b2.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 05d235c721556923fdfe9af09a5451b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\QuickTip = "prop:Type;Size" 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 05d235c721556923fdfe9af09a5451b2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\TileInfo = "prop:Type;Size" 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 05d235c721556923fdfe9af09a5451b2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 05d235c721556923fdfe9af09a5451b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 05d235c721556923fdfe9af09a5451b2.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2744 SPOOLSV.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 2340 SVCHOST.EXE 2340 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 1540 SVCHOST.EXE 5088 05d235c721556923fdfe9af09a5451b2.exe 5088 05d235c721556923fdfe9af09a5451b2.exe 5088 05d235c721556923fdfe9af09a5451b2.exe 5088 05d235c721556923fdfe9af09a5451b2.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 5088 05d235c721556923fdfe9af09a5451b2.exe 1540 SVCHOST.EXE 3268 SVCHOST.EXE 2340 SVCHOST.EXE 3820 SVCHOST.EXE 4236 SVCHOST.EXE 2744 SPOOLSV.EXE 4480 SVCHOST.EXE 4476 SVCHOST.EXE 4080 SPOOLSV.EXE 2240 SPOOLSV.EXE 1384 SVCHOST.EXE 208 SPOOLSV.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 5088 wrote to memory of 1540 5088 05d235c721556923fdfe9af09a5451b2.exe 38 PID 5088 wrote to memory of 1540 5088 05d235c721556923fdfe9af09a5451b2.exe 38 PID 5088 wrote to memory of 1540 5088 05d235c721556923fdfe9af09a5451b2.exe 38 PID 1540 wrote to memory of 3268 1540 SVCHOST.EXE 25 PID 1540 wrote to memory of 3268 1540 SVCHOST.EXE 25 PID 1540 wrote to memory of 3268 1540 SVCHOST.EXE 25 PID 1540 wrote to memory of 2340 1540 SVCHOST.EXE 22 PID 1540 wrote to memory of 2340 1540 SVCHOST.EXE 22 PID 1540 wrote to memory of 2340 1540 SVCHOST.EXE 22 PID 2340 wrote to memory of 3820 2340 SVCHOST.EXE 24 PID 2340 wrote to memory of 3820 2340 SVCHOST.EXE 24 PID 2340 wrote to memory of 3820 2340 SVCHOST.EXE 24 PID 2340 wrote to memory of 4236 2340 SVCHOST.EXE 23 PID 2340 wrote to memory of 4236 2340 SVCHOST.EXE 23 PID 2340 wrote to memory of 4236 2340 SVCHOST.EXE 23 PID 2340 wrote to memory of 2744 2340 SVCHOST.EXE 37 PID 2340 wrote to memory of 2744 2340 SVCHOST.EXE 37 PID 2340 wrote to memory of 2744 2340 SVCHOST.EXE 37 PID 2744 wrote to memory of 4480 2744 SPOOLSV.EXE 27 PID 2744 wrote to memory of 4480 2744 SPOOLSV.EXE 27 PID 2744 wrote to memory of 4480 2744 SPOOLSV.EXE 27 PID 2744 wrote to memory of 4476 2744 SPOOLSV.EXE 26 PID 2744 wrote to memory of 4476 2744 SPOOLSV.EXE 26 PID 2744 wrote to memory of 4476 2744 SPOOLSV.EXE 26 PID 2744 wrote to memory of 4080 2744 SPOOLSV.EXE 36 PID 2744 wrote to memory of 4080 2744 SPOOLSV.EXE 36 PID 2744 wrote to memory of 4080 2744 SPOOLSV.EXE 36 PID 1540 wrote to memory of 2240 1540 SVCHOST.EXE 28 PID 1540 wrote to memory of 2240 1540 SVCHOST.EXE 28 PID 1540 wrote to memory of 2240 1540 SVCHOST.EXE 28 PID 5088 wrote to memory of 1384 5088 05d235c721556923fdfe9af09a5451b2.exe 33 PID 5088 wrote to memory of 1384 5088 05d235c721556923fdfe9af09a5451b2.exe 33 PID 5088 wrote to memory of 1384 5088 05d235c721556923fdfe9af09a5451b2.exe 33 PID 5088 wrote to memory of 208 5088 05d235c721556923fdfe9af09a5451b2.exe 32 PID 5088 wrote to memory of 208 5088 05d235c721556923fdfe9af09a5451b2.exe 32 PID 5088 wrote to memory of 208 5088 05d235c721556923fdfe9af09a5451b2.exe 32 PID 1540 wrote to memory of 764 1540 SVCHOST.EXE 30 PID 1540 wrote to memory of 764 1540 SVCHOST.EXE 30 PID 1540 wrote to memory of 764 1540 SVCHOST.EXE 30 PID 764 wrote to memory of 4744 764 userinit.exe 29 PID 764 wrote to memory of 4744 764 userinit.exe 29 PID 764 wrote to memory of 4744 764 userinit.exe 29 PID 5088 wrote to memory of 2348 5088 05d235c721556923fdfe9af09a5451b2.exe 34 PID 5088 wrote to memory of 2348 5088 05d235c721556923fdfe9af09a5451b2.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d235c721556923fdfe9af09a5451b2.exe"C:\Users\Admin\AppData\Local\Temp\05d235c721556923fdfe9af09a5451b2.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\05d235c721556923fdfe9af09a5451b2.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3820
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3268
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4480
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"1⤵PID:4744
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe1⤵
- Suspicious use of WriteProcessMemory
PID:764
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:536
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5332b19b90a767972d3e04837d92d6eca
SHA1d9990249b983ac5eea42a5c68291ce50473f8a90
SHA256efce909fe3efb0a5066c5f735f4bee666303ff3a4a6a0dac2bbe46fe90abbfb4
SHA512997002a19a07164a04927cb0d0a56dfc6df19f89a920540fdfc6ff4134a616f55b5bb75340a2453a9d0ab1d26624e53b5b655e321424bf5e308666093f464f91
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD5c8c55319ee331602312d2ea229968f8d
SHA132de7ea396653d6c2b2995624443a2372468530d
SHA2568d66d84c5e87278a48412b7af1e9d9399a33f7c1a33f3ceea91d28b38b55a082
SHA5122871abf01b002a95c9102127c455eb74ebb82a3e7d80083cd17a8658bf8c6ec9ac671993f0d5039c0cd039addefadd2deab8c7ba6ee6d0d8522bd9d14be23f0d
-
Filesize
45KB
MD571c4e9bdf85bf5cc4b87ada966b35bf4
SHA183a6ee8dd2c47d3b604c659363c85abd5af81e46
SHA2567413cefc1536da50f4d4cb9f9fd9f93e9ea9a2e5df4daf08f447a5aa3b669f5b
SHA512460af6b9811dec49a9ad63ea6018dd6b2223290772d1fdc1de60c2fa1640ef1a34f37e3c2cdcd12a3dd30c99101a585db442e04014334265ce6c040d8dc6a7f6