Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 11:50
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6c291243393d267250d505ba4c27195a.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
6c291243393d267250d505ba4c27195a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
6c291243393d267250d505ba4c27195a.exe
-
Size
512KB
-
MD5
6c291243393d267250d505ba4c27195a
-
SHA1
7e83b699350852b83ea9a64143a3e1ebb958e677
-
SHA256
d74b4718c7a0600e9b5194f97ce96acffb96da0c7dd55da02fb5fee051e29ade
-
SHA512
dd9a19f454add4c7b2f3ddaa4804afee65e68e9409142cb8717ddd0ee80d59e54f3eb458c05f62fafd6d99439e5d04ab7675c6ba76781cb9ed3f15d8ed2e9202
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ziesmjadlo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziesmjadlo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ziesmjadlo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ziesmjadlo.exe -
Executes dropped EXE 5 IoCs
pid Process 2836 ziesmjadlo.exe 3064 etgsklsrzspmwgv.exe 3052 ksblqgwc.exe 2364 mnjnmbdvkopoh.exe 2032 ksblqgwc.exe -
Loads dropped DLL 5 IoCs
pid Process 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 2836 ziesmjadlo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ziesmjadlo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pblmxkcv = "ziesmjadlo.exe" etgsklsrzspmwgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfaauowq = "etgsklsrzspmwgv.exe" etgsklsrzspmwgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mnjnmbdvkopoh.exe" etgsklsrzspmwgv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: ksblqgwc.exe File opened (read-only) \??\k: ksblqgwc.exe File opened (read-only) \??\w: ksblqgwc.exe File opened (read-only) \??\s: ziesmjadlo.exe File opened (read-only) \??\v: ziesmjadlo.exe File opened (read-only) \??\a: ksblqgwc.exe File opened (read-only) \??\o: ksblqgwc.exe File opened (read-only) \??\l: ksblqgwc.exe File opened (read-only) \??\j: ziesmjadlo.exe File opened (read-only) \??\t: ziesmjadlo.exe File opened (read-only) \??\a: ziesmjadlo.exe File opened (read-only) \??\h: ksblqgwc.exe File opened (read-only) \??\p: ksblqgwc.exe File opened (read-only) \??\x: ziesmjadlo.exe File opened (read-only) \??\z: ksblqgwc.exe File opened (read-only) \??\h: ksblqgwc.exe File opened (read-only) \??\u: ksblqgwc.exe File opened (read-only) \??\y: ksblqgwc.exe File opened (read-only) \??\b: ziesmjadlo.exe File opened (read-only) \??\o: ziesmjadlo.exe File opened (read-only) \??\k: ziesmjadlo.exe File opened (read-only) \??\r: ziesmjadlo.exe File opened (read-only) \??\u: ksblqgwc.exe File opened (read-only) \??\r: ksblqgwc.exe File opened (read-only) \??\i: ziesmjadlo.exe File opened (read-only) \??\m: ziesmjadlo.exe File opened (read-only) \??\z: ziesmjadlo.exe File opened (read-only) \??\e: ksblqgwc.exe File opened (read-only) \??\g: ksblqgwc.exe File opened (read-only) \??\g: ksblqgwc.exe File opened (read-only) \??\p: ksblqgwc.exe File opened (read-only) \??\x: ksblqgwc.exe File opened (read-only) \??\n: ziesmjadlo.exe File opened (read-only) \??\u: ziesmjadlo.exe File opened (read-only) \??\b: ksblqgwc.exe File opened (read-only) \??\l: ksblqgwc.exe File opened (read-only) \??\r: ksblqgwc.exe File opened (read-only) \??\q: ksblqgwc.exe File opened (read-only) \??\s: ksblqgwc.exe File opened (read-only) \??\v: ksblqgwc.exe File opened (read-only) \??\l: ziesmjadlo.exe File opened (read-only) \??\y: ziesmjadlo.exe File opened (read-only) \??\s: ksblqgwc.exe File opened (read-only) \??\e: ksblqgwc.exe File opened (read-only) \??\n: ksblqgwc.exe File opened (read-only) \??\w: ziesmjadlo.exe File opened (read-only) \??\y: ksblqgwc.exe File opened (read-only) \??\x: ksblqgwc.exe File opened (read-only) \??\n: ksblqgwc.exe File opened (read-only) \??\b: ksblqgwc.exe File opened (read-only) \??\m: ksblqgwc.exe File opened (read-only) \??\z: ksblqgwc.exe File opened (read-only) \??\g: ziesmjadlo.exe File opened (read-only) \??\q: ziesmjadlo.exe File opened (read-only) \??\a: ksblqgwc.exe File opened (read-only) \??\j: ksblqgwc.exe File opened (read-only) \??\p: ziesmjadlo.exe File opened (read-only) \??\j: ksblqgwc.exe File opened (read-only) \??\h: ziesmjadlo.exe File opened (read-only) \??\i: ksblqgwc.exe File opened (read-only) \??\q: ksblqgwc.exe File opened (read-only) \??\v: ksblqgwc.exe File opened (read-only) \??\w: ksblqgwc.exe File opened (read-only) \??\i: ksblqgwc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ziesmjadlo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ziesmjadlo.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1936-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000c0000000146c8-5.dat autoit_exe behavioral1/files/0x000b000000012261-17.dat autoit_exe behavioral1/files/0x0007000000016d2e-34.dat autoit_exe behavioral1/files/0x000c0000000146c8-33.dat autoit_exe behavioral1/files/0x0033000000016cd7-28.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\etgsklsrzspmwgv.exe 6c291243393d267250d505ba4c27195a.exe File created C:\Windows\SysWOW64\mnjnmbdvkopoh.exe 6c291243393d267250d505ba4c27195a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ziesmjadlo.exe File opened for modification C:\Windows\SysWOW64\ksblqgwc.exe 6c291243393d267250d505ba4c27195a.exe File opened for modification C:\Windows\SysWOW64\mnjnmbdvkopoh.exe 6c291243393d267250d505ba4c27195a.exe File created C:\Windows\SysWOW64\ziesmjadlo.exe 6c291243393d267250d505ba4c27195a.exe File opened for modification C:\Windows\SysWOW64\ziesmjadlo.exe 6c291243393d267250d505ba4c27195a.exe File opened for modification C:\Windows\SysWOW64\etgsklsrzspmwgv.exe 6c291243393d267250d505ba4c27195a.exe File created C:\Windows\SysWOW64\ksblqgwc.exe 6c291243393d267250d505ba4c27195a.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ksblqgwc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ksblqgwc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ksblqgwc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ksblqgwc.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ksblqgwc.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ksblqgwc.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ksblqgwc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ksblqgwc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 6c291243393d267250d505ba4c27195a.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9B0F96AF2E3837B3B3681983E93B3FC038C4268034FE2C942E709D3" 6c291243393d267250d505ba4c27195a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC60C15E3DAC5B9C17C90ECE037C8" 6c291243393d267250d505ba4c27195a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B029479739EE52CFBAD53392D7C5" 6c291243393d267250d505ba4c27195a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ziesmjadlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6c291243393d267250d505ba4c27195a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ziesmjadlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB7FE6821ACD178D0A58A7A9017" 6c291243393d267250d505ba4c27195a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ziesmjadlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2600 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 3064 etgsklsrzspmwgv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 1936 6c291243393d267250d505ba4c27195a.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 2836 ziesmjadlo.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3064 etgsklsrzspmwgv.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 3052 ksblqgwc.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2364 mnjnmbdvkopoh.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe 2032 ksblqgwc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2600 WINWORD.EXE 2600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2836 1936 6c291243393d267250d505ba4c27195a.exe 28 PID 1936 wrote to memory of 2836 1936 6c291243393d267250d505ba4c27195a.exe 28 PID 1936 wrote to memory of 2836 1936 6c291243393d267250d505ba4c27195a.exe 28 PID 1936 wrote to memory of 2836 1936 6c291243393d267250d505ba4c27195a.exe 28 PID 1936 wrote to memory of 3064 1936 6c291243393d267250d505ba4c27195a.exe 33 PID 1936 wrote to memory of 3064 1936 6c291243393d267250d505ba4c27195a.exe 33 PID 1936 wrote to memory of 3064 1936 6c291243393d267250d505ba4c27195a.exe 33 PID 1936 wrote to memory of 3064 1936 6c291243393d267250d505ba4c27195a.exe 33 PID 1936 wrote to memory of 3052 1936 6c291243393d267250d505ba4c27195a.exe 29 PID 1936 wrote to memory of 3052 1936 6c291243393d267250d505ba4c27195a.exe 29 PID 1936 wrote to memory of 3052 1936 6c291243393d267250d505ba4c27195a.exe 29 PID 1936 wrote to memory of 3052 1936 6c291243393d267250d505ba4c27195a.exe 29 PID 1936 wrote to memory of 2364 1936 6c291243393d267250d505ba4c27195a.exe 30 PID 1936 wrote to memory of 2364 1936 6c291243393d267250d505ba4c27195a.exe 30 PID 1936 wrote to memory of 2364 1936 6c291243393d267250d505ba4c27195a.exe 30 PID 1936 wrote to memory of 2364 1936 6c291243393d267250d505ba4c27195a.exe 30 PID 2836 wrote to memory of 2032 2836 ziesmjadlo.exe 31 PID 2836 wrote to memory of 2032 2836 ziesmjadlo.exe 31 PID 2836 wrote to memory of 2032 2836 ziesmjadlo.exe 31 PID 2836 wrote to memory of 2032 2836 ziesmjadlo.exe 31 PID 1936 wrote to memory of 2600 1936 6c291243393d267250d505ba4c27195a.exe 32 PID 1936 wrote to memory of 2600 1936 6c291243393d267250d505ba4c27195a.exe 32 PID 1936 wrote to memory of 2600 1936 6c291243393d267250d505ba4c27195a.exe 32 PID 1936 wrote to memory of 2600 1936 6c291243393d267250d505ba4c27195a.exe 32 PID 2600 wrote to memory of 1200 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 1200 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 1200 2600 WINWORD.EXE 36 PID 2600 wrote to memory of 1200 2600 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c291243393d267250d505ba4c27195a.exe"C:\Users\Admin\AppData\Local\Temp\6c291243393d267250d505ba4c27195a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\ziesmjadlo.exeziesmjadlo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\ksblqgwc.exeC:\Windows\system32\ksblqgwc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032
-
-
-
C:\Windows\SysWOW64\ksblqgwc.exeksblqgwc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052
-
-
C:\Windows\SysWOW64\mnjnmbdvkopoh.exemnjnmbdvkopoh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2364
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1200
-
-
-
C:\Windows\SysWOW64\etgsklsrzspmwgv.exeetgsklsrzspmwgv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD568c730e0891c22eecc0e07789d627482
SHA152a22bd62c2b996c3d2b8c591f2d356a8af5fc3b
SHA2561ce8a15bb4f586dc942b178467791951f018c45de4fe05d5dad10d18e182a86a
SHA512eb409651a711677671fbb0f2392c760840bf5cebad25734d6e44419f90d8d0d4cf63b58d7a05dc0a9004cdd75c0908750aa0d51df5470c1545b1d9b5fa773659
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD5ec569e996871a580e67c256f40dde7c7
SHA10311d8ee598f67479229038c86566e8f80358edc
SHA256034b66da9828fe05aa184c79b48b14e0ebff2d9f33aab2102953a3862057bbb1
SHA5125be00a79e987697d660d3117e614e81d31525576e4763d56bac0479959b4bbc3e2fe3fae73898d73124d783302a61d322a37a427f318400f0bdff519b2b40049
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
512KB
MD57c3da7d3b7fdfdef305f8353ee769bf7
SHA15f138dd89c422016b0580f88ac49e42d17240d4e
SHA256783cc268a0883ac34b258cfbf89f3eb59eef1a52f58e1b62535c42f0c48e66d1
SHA51257ad5b90c45bedca20f89863c50043bf387bece0033b6f0cc26d546e14a9bfb306e222baf6e1de0aafe2fdbd45d45490a46cb1cb54928b8ec34bb3100e0bbcaa