6d815b4ec81d4ea54182f6d99861fbd1d94e9b3f0f611beb7593cbbe15d75391

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2130a456b913ec6d1f4f69d53d617d21.exe
Size

512KB
MD5

2130a456b913ec6d1f4f69d53d617d21
SHA1

5311be53a09fdc5164c5d870760536fbc8b7001f
SHA256

6d815b4ec81d4ea54182f6d99861fbd1d94e9b3f0f611beb7593cbbe15d75391
SHA512

36b0025849c499a92fb86c351d49ea3562f7813c07d4f440ff8629752b3c4d352018cfd4802c7b5c9019429187860bb1e3cc2c7acb64f9bec20e99ddd3c94e20
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3000	qcffuegkhi.exe
2800	svrfsbeohgpupec.exe
2324	gzvrdseh.exe
2564	hsimvbppolakz.exe

Loads dropped DLL 4 IoCs

pid	Process
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zkekaijj = "qcffuegkhi.exe"	svrfsbeohgpupec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eoaubqtq = "svrfsbeohgpupec.exe"	svrfsbeohgpupec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hsimvbppolakz.exe"	svrfsbeohgpupec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	gzvrdseh.exe
File opened (read-only)	\??\z:	gzvrdseh.exe
File opened (read-only)	\??\b:	gzvrdseh.exe
File opened (read-only)	\??\h:	gzvrdseh.exe
File opened (read-only)	\??\m:	gzvrdseh.exe
File opened (read-only)	\??\n:	gzvrdseh.exe
File opened (read-only)	\??\p:	gzvrdseh.exe
File opened (read-only)	\??\x:	gzvrdseh.exe
File opened (read-only)	\??\y:	gzvrdseh.exe
File opened (read-only)	\??\e:	gzvrdseh.exe
File opened (read-only)	\??\l:	gzvrdseh.exe
File opened (read-only)	\??\j:	gzvrdseh.exe
File opened (read-only)	\??\k:	gzvrdseh.exe
File opened (read-only)	\??\o:	gzvrdseh.exe
File opened (read-only)	\??\r:	gzvrdseh.exe
File opened (read-only)	\??\t:	gzvrdseh.exe
File opened (read-only)	\??\w:	gzvrdseh.exe
File opened (read-only)	\??\a:	gzvrdseh.exe
File opened (read-only)	\??\g:	gzvrdseh.exe
File opened (read-only)	\??\u:	gzvrdseh.exe
File opened (read-only)	\??\v:	gzvrdseh.exe
File opened (read-only)	\??\i:	gzvrdseh.exe
File opened (read-only)	\??\q:	gzvrdseh.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000141a2-5.dat	autoit_exe
behavioral1/files/0x0007000000014667-36.dat	autoit_exe
behavioral1/files/0x000b0000000141a2-39.dat	autoit_exe
behavioral1/files/0x0007000000014667-38.dat	autoit_exe
behavioral1/files/0x00090000000143ec-26.dat	autoit_exe
behavioral1/files/0x00090000000143ec-32.dat	autoit_exe
behavioral1/files/0x0007000000014667-29.dat	autoit_exe
behavioral1/files/0x000b0000000141a2-21.dat	autoit_exe
behavioral1/files/0x000b0000000141a2-25.dat	autoit_exe
behavioral1/files/0x000a000000013a71-20.dat	autoit_exe
behavioral1/files/0x000a000000013a71-17.dat	autoit_exe
behavioral1/files/0x000a000000013a71-61.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gzvrdseh.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File created	C:\Windows\SysWOW64\hsimvbppolakz.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File opened for modification	C:\Windows\SysWOW64\hsimvbppolakz.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File created	C:\Windows\SysWOW64\qcffuegkhi.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File opened for modification	C:\Windows\SysWOW64\qcffuegkhi.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File created	C:\Windows\SysWOW64\svrfsbeohgpupec.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File opened for modification	C:\Windows\SysWOW64\svrfsbeohgpupec.exe	2130a456b913ec6d1f4f69d53d617d21.exe
File created	C:\Windows\SysWOW64\gzvrdseh.exe	2130a456b913ec6d1f4f69d53d617d21.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gzvrdseh.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	gzvrdseh.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	gzvrdseh.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	gzvrdseh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gzvrdseh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gzvrdseh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gzvrdseh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gzvrdseh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gzvrdseh.exe
File created	\??\c:\Program Files\SuspendCompare.doc.exe	gzvrdseh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gzvrdseh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gzvrdseh.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	2130a456b913ec6d1f4f69d53d617d21.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BC5FE1821AAD208D0A78A089160"	2130a456b913ec6d1f4f69d53d617d21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67E15E3DBBEB8BD7FE5ECE537C8"	2130a456b913ec6d1f4f69d53d617d21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2464	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2360	2130a456b913ec6d1f4f69d53d617d21.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2564	hsimvbppolakz.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2800	svrfsbeohgpupec.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe
2324	gzvrdseh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2464	WINWORD.EXE
2464	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3000	2360	2130a456b913ec6d1f4f69d53d617d21.exe	29
PID 2360 wrote to memory of 3000	2360	2130a456b913ec6d1f4f69d53d617d21.exe	29
PID 2360 wrote to memory of 3000	2360	2130a456b913ec6d1f4f69d53d617d21.exe	29
PID 2360 wrote to memory of 3000	2360	2130a456b913ec6d1f4f69d53d617d21.exe	29
PID 2360 wrote to memory of 2800	2360	2130a456b913ec6d1f4f69d53d617d21.exe	28
PID 2360 wrote to memory of 2800	2360	2130a456b913ec6d1f4f69d53d617d21.exe	28
PID 2360 wrote to memory of 2800	2360	2130a456b913ec6d1f4f69d53d617d21.exe	28
PID 2360 wrote to memory of 2800	2360	2130a456b913ec6d1f4f69d53d617d21.exe	28
PID 2360 wrote to memory of 2324	2360	2130a456b913ec6d1f4f69d53d617d21.exe	27
PID 2360 wrote to memory of 2324	2360	2130a456b913ec6d1f4f69d53d617d21.exe	27
PID 2360 wrote to memory of 2324	2360	2130a456b913ec6d1f4f69d53d617d21.exe	27
PID 2360 wrote to memory of 2324	2360	2130a456b913ec6d1f4f69d53d617d21.exe	27
PID 2360 wrote to memory of 2564	2360	2130a456b913ec6d1f4f69d53d617d21.exe	25
PID 2360 wrote to memory of 2564	2360	2130a456b913ec6d1f4f69d53d617d21.exe	25
PID 2360 wrote to memory of 2564	2360	2130a456b913ec6d1f4f69d53d617d21.exe	25
PID 2360 wrote to memory of 2564	2360	2130a456b913ec6d1f4f69d53d617d21.exe	25
PID 2360 wrote to memory of 2464	2360	2130a456b913ec6d1f4f69d53d617d21.exe	26
PID 2360 wrote to memory of 2464	2360	2130a456b913ec6d1f4f69d53d617d21.exe	26
PID 2360 wrote to memory of 2464	2360	2130a456b913ec6d1f4f69d53d617d21.exe	26
PID 2360 wrote to memory of 2464	2360	2130a456b913ec6d1f4f69d53d617d21.exe	26
PID 2464 wrote to memory of 2856	2464	WINWORD.EXE	35
PID 2464 wrote to memory of 2856	2464	WINWORD.EXE	35
PID 2464 wrote to memory of 2856	2464	WINWORD.EXE	35
PID 2464 wrote to memory of 2856	2464	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\2130a456b913ec6d1f4f69d53d617d21.exe
"C:\Users\Admin\AppData\Local\Temp\2130a456b913ec6d1f4f69d53d617d21.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\hsimvbppolakz.exe
  hsimvbppolakz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2564
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2856
- C:\Windows\SysWOW64\gzvrdseh.exe
  gzvrdseh.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2324
- C:\Windows\SysWOW64\svrfsbeohgpupec.exe
  svrfsbeohgpupec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800
- C:\Windows\SysWOW64\qcffuegkhi.exe
  qcffuegkhi.exe
  2⤵
  - Executes dropped EXE
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c0f9e0b28732b9908120eb8f4034deec

SHA1
66bb3ec6c3a5e5798f66bd85b98dd94deb1ac617

SHA256
a4b105388a5b4ee4103283d0ecde7a1dbf0eb6683cf8b8510552695c93030e2d

SHA512
705a2bd08d8c9c1c88b5425cff204e4f1e8bfc73b6b2585b5701a8ca2e3eefe5287f0eb41e24badd6a4801da84c8ad4a0bb388a205a559b16f1491af0d877401

Download Submit
C:\Windows\SysWOW64\gzvrdseh.exe

Filesize
79KB

MD5
8fab2e4bf37b0e18ce8e964789a8b069

SHA1
93cc2d2e52dbfe74947415705f36d408f8d216ff

SHA256
7733b49e44c82365aea7b8be7b45e15e0db8bb1b073bd5f1e7e7f75fc50ee803

SHA512
da2f5300e22c49671be0cbab12a534c2d66d3b9c10ce5bb70d1a2e2765901719553bb898983f5b14f6c515e3b1b737a3d084cda36961a243a55b989da918d0c2

Download Submit
C:\Windows\SysWOW64\hsimvbppolakz.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
C:\Windows\SysWOW64\hsimvbppolakz.exe

Filesize
74KB

MD5
84b1d2161eff7f096b084d323391c90f

SHA1
7ba9be8e1ccb681753275a5858709bf6c9ad9264

SHA256
d460b902bb653cf21e900409b5f6ef07a49d5254c37071a05b93c10b774e81dc

SHA512
bd21d8f56410a4d925679d330a5034ba9bc9bfdeea23603f9c136e51144e59a7f4816f766e9fa8bc9be88c8d49fd2c576f04e1fcdcb4c957a03e14f2318d10fb

Download Submit
C:\Windows\SysWOW64\qcffuegkhi.exe

Filesize
360KB

MD5
d617b591cc34bc3f78538ee8a4dbe6e6

SHA1
a8f15895fbd267403572fc7e6fe7741cd2a6133e

SHA256
b361a23f791c01bd277b775c7e0379923ca0b50545351fb42a07c28fdef67df2

SHA512
995604102e5b0ae60bda2846166e9305fb8dd3f0d71acd3af1ad977fd31ecebc3f1f6ee6abcc198779c2ff3dec0826c9a5fa123f6cd15eb3b7a5b0ca9f81df39

Download Submit
C:\Windows\SysWOW64\qcffuegkhi.exe

Filesize
71KB

MD5
710ce572414df5c6858d13c0b36e824a

SHA1
4151e6260b72005bc4a8c9153a3e065e163812a0

SHA256
6579dc768ae994f2d6f1b9a1a5eacdda29c244fd80f69ca26b848048def969d7

SHA512
498a90cb2591b9ce092462eae9ab885348072b1f5bdf0221dd4dd76fa45aabfe0d0ba5abbaf0c6ca536d0d891ee3c220a65343da2349951aa42787a6aa94934e

Download Submit
C:\Windows\SysWOW64\svrfsbeohgpupec.exe

Filesize
330KB

MD5
bff670170ca782b135b92636ae88d187

SHA1
4c783545b8de994064de4f4bd1356993c9fe9f74

SHA256
fbd519f862c8ef689e30e9a10b74735ae38d9660819edfbff1063f1bc40ae3f3

SHA512
b27f13b5b3e3c8e3d446d8afa1d9fa7606ec6bef60c9202546e7a352543c896ebee71bb6b9b15212a8890dc656e2722ac76735ce9ecefa4ff97a70f0e5e65353

Download Submit
C:\Windows\SysWOW64\svrfsbeohgpupec.exe

Filesize
53KB

MD5
e4a8c3192d527c5dfae3dcc0762b8f38

SHA1
9b8c7eabd87a32f6d32b8b7f5963ca4d20b2465f

SHA256
debd42f4aa5adb475145f342a354bac32c2a4fb3ecf5afb41ce503bb00c2b5a7

SHA512
20e052d74e5c91a437cdf92ef642fd98d0fd3bef66e52293cdb0f0a2a21a4f4dbe6497fc74cb1d0a11da67c392ad58fd845a4bb6c30018967cbf8ae1213b384f

Download Submit
C:\Windows\SysWOW64\svrfsbeohgpupec.exe

Filesize
133KB

MD5
1b63faed91afdaf375186a526a80fb57

SHA1
a1a2b760fce63d0a8921d0dece8bc13373c3fa43

SHA256
bff15063262a13421c14df4de98c9d431201b3b71b55ffdc0a46e1b13cf4ebf4

SHA512
6c1344116b1f8b93df1c4ca3a3b941c450a7b0a5417839c198468ab7f785395857046556e63034d3abac6a857c044dd262c587297a35ee4c3df2592e7da49133

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gzvrdseh.exe

Filesize
64KB

MD5
d76d22b81130bc9206c7c947d7a9ea5e

SHA1
5956e88a6ec7949ce5a350e21703307d855f34b1

SHA256
b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870

SHA512
112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1

Download Submit
\Windows\SysWOW64\hsimvbppolakz.exe

Filesize
248KB

MD5
42ee75ddf6358046d636c886e27d1d9f

SHA1
a58faa016e4419a8039bcb7f558dd5673af77d5a

SHA256
a4d5c27e07387b6487733be452061bf1930c21b66dd1db90ee6044214675fd5e

SHA512
5530a812f02218a0e7ab39410e5c88d4aa82275b07eb45dbfac627b058a78cedd325c6c16e5976126da107678f48a2899da8da161689d02a1e89fa56097f62eb

Download Submit
\Windows\SysWOW64\qcffuegkhi.exe

Filesize
396KB

MD5
232089e19031c76626a94f33f191c7dc

SHA1
85b8dcd0ce3c0756cd9a73aa44d806bacf8fde5b

SHA256
d3404ad2002d2eff999c8f1252b8e5715fd8371dac6627bcef52a744537f9db6

SHA512
8d16832d06f28ebf26dbdfada3b0c76429f9c9dbce833a66e97a794416606e0bc52aad4041e730290e8f639c9205a739a7b7b9aaa3cba52f1feeab9ef848f50e

Download Submit
\Windows\SysWOW64\svrfsbeohgpupec.exe

Filesize
206KB

MD5
0a56b6a6bc1ec7e9238b8988879131a2

SHA1
68a7f815c34381fab9ad6f36a542aa15c3e0e64d

SHA256
6c1fb1b3f095a9a26df02773d5a36d33f2aacf55534ede549c6d5511c8dcab13

SHA512
f51f51a4abc6c5d7cf7196ff09625c97e7549958e050c3f03d84b38874f081e63b50d95d8b3596a27d4026f175827908ff87c688d25fed58eaf1f0af0bd76eb8

Download Submit
memory/2360-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2464-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2464-41-0x000000002F041000-0x000000002F042000-memory.dmp

Filesize
4KB

Download
memory/2464-43-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/2464-79-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/2464-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download