Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
PO-5299.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PO-5299.xls
Resource
win10v2004-20231222-en
General
-
Target
PO-5299.xls
-
Size
389KB
-
MD5
ca93ad9d9887663ed1afc2197b775268
-
SHA1
017bb90012dfa9fd9a6a05efd01d1d929e411039
-
SHA256
3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb
-
SHA512
02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af
-
SSDEEP
6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY
Malware Config
Extracted
formbook
4.1
he09
clhear.com
maythunguyen.com
xiongmaoaijia.com
kembangzadsloh.xyz
speedwagner.com
360bedroom.com
campereurorg.top
cwxg2.site
mcdlibre.live
globigprimecompanylimited.com
1707102023-stripe.com
xhfj5.site
mugiwaranousopp.xyz
texmasco.com
sc9999.net
lite.team
8xb898.com
cibecuetowing.top
mgplatinemlak.xyz
southwestharborkeyword.top
mil840.vip
mygovindexhtml.online
pepecasinofun.online
lindalilly.com
4da8.com
gladespringtowing.top
tinblaster.net
jpedwardscoaching.com
toursardegna.net
ngocchiluong.com
darringtontowing.top
oiuajh.xyz
nighvideos.com
15868.mom
blueblaze.app
escachifollad.store
credclub.shop
digitalfreedomhub.com
onemobileal.com
obqk8.site
kelownainsulationservices.com
skywatchnewsstores.com
neu-de-update.com
streamart.live
popla9001.com
theundraftd.com
claims.scot
bonk-token.com
iwoulddye4u.com
tenderherbschool.com
thegoodbeautypodcast.com
nahanttowing.top
moneyshift.store
relaxify.cloud
wjr3x0d.shop
churchsec.net
chromadentalclinic.com
kadeonline.com
frank-cazino.com
desixair.com
cftd4o5.com
ipodenergy.com
kravingsbykiersten.com
richmondvilletowing.top
fino-shop.store
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2992-111-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2992-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2084-122-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook behavioral1/memory/2084-124-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 11 2176 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
pid Process 1972 conhost.exe 2992 conhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2176 EQNEDT32.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1972 set thread context of 2992 1972 conhost.exe 34 PID 2992 set thread context of 1184 2992 conhost.exe 7 PID 2084 set thread context of 1184 2084 cmstp.exe 7 -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2176 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2484 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2992 conhost.exe 2992 conhost.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe 2084 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2992 conhost.exe 2992 conhost.exe 2992 conhost.exe 2084 cmstp.exe 2084 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2992 conhost.exe Token: SeDebugPrivilege 2084 cmstp.exe Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2788 WINWORD.EXE 2788 WINWORD.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1972 2176 EQNEDT32.EXE 31 PID 2176 wrote to memory of 1972 2176 EQNEDT32.EXE 31 PID 2176 wrote to memory of 1972 2176 EQNEDT32.EXE 31 PID 2176 wrote to memory of 1972 2176 EQNEDT32.EXE 31 PID 2788 wrote to memory of 1500 2788 WINWORD.EXE 32 PID 2788 wrote to memory of 1500 2788 WINWORD.EXE 32 PID 2788 wrote to memory of 1500 2788 WINWORD.EXE 32 PID 2788 wrote to memory of 1500 2788 WINWORD.EXE 32 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1972 wrote to memory of 2992 1972 conhost.exe 34 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 1184 wrote to memory of 2084 1184 Explorer.EXE 35 PID 2084 wrote to memory of 1804 2084 cmstp.exe 36 PID 2084 wrote to memory of 1804 2084 cmstp.exe 36 PID 2084 wrote to memory of 1804 2084 cmstp.exe 36 PID 2084 wrote to memory of 1804 2084 cmstp.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-5299.xls2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵PID:1804
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1500
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5a464081ab2a888e7dac6c7345551ed5c
SHA1b18f174f8b9df0d7adeabb9109d16744cbaba4b1
SHA256861028d264d972b8a26c496d646d52d3196d9c20091da7df5add64e1ed7467a6
SHA5129c371f1ed662462ed6bc9aabd4f28b25e44fea08b194feeb8bbc293e90a59022601c7e18148222804c16574ba278c5000adccc1c7f2d54c25cd9c5990d4f8225
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6B6EFF92-3AA9-420E-BDCF-33B25F175B2D}.FSD
Filesize128KB
MD534a7b344eef925f5cf3cd0e58de20997
SHA130d0c5eafd3511614af679f01bb0bf36263d278f
SHA256b84098c3f9e53f8c4027d1b364d0986be42c2234d8a2443c6b692d7743e0fabf
SHA512c22d659c2a58bd170d432145c46c44637395b522736e7f8f1e0ecd8f683ba91bd6431a40a76397eea5eaa2e48b1f69d6bbdbde7d4261482e0d1a808ff5adb0be
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth[1].doc
Filesize66KB
MD50f15c2649a458ea6d0421b673571b5af
SHA1a7cd0504cee1402625b1ab2bd13e89d344b3cb60
SHA25619903b449b7a97eff2293836d617b509039bc4b8b108b9b5ae299f0e2a2ce9d7
SHA51261ffb5b2d56bc32ee03a4e9ea70adeb5869226e92e8e4bc3d26f29c08060c8d4f5350d6fde19e26a3e536b9aaee3c24b072d7541e01c217471cd3f9f2868a1b5
-
Filesize
128KB
MD5e796020fce52f1b4cc98c45a2ef9f1d0
SHA10417d34b24d925a06d620475c711dc422609fb79
SHA256c0686db13b1074c8163a786a17cde5d4ef4193bbadf623efc008ffe2d4dbad1e
SHA5124796898ac9d90231cdd3a38d31853e301d7aaa12fe4d44e19eebe70e78e10a23d4b9aec1da432c01a5a1bba73b7fc849c06f1a47f60cd68f838e43748e40b61f
-
Filesize
605KB
MD54e970a3b8f394efb6020b1d7474bc147
SHA1f519d4c73cc21fed56a4e2b2ea596215f4815f4b
SHA2561a96da0b8cd4b80ebbe15e9ac2e4cc3552934d5e97f80a6533f97bc66095f126
SHA512e6a2b04cef50f48c5bd89002766438233945f7f705cb864aa48ace5f26ab5f257dfe9d6a3139db21105381837f21304f3d4392aef51a4e883438fa77263ac2da
-
Filesize
699KB
MD5591dac333aff7739bf01a4c9d3e838a5
SHA15211f3ab4d80644439220d11fb204eb2bee9fdb8
SHA2560509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4
SHA512b511a6b960b2c092577ab8fbf20767e9ad5dc86682e76e630602cfd88b4e8bf9b8fa8fac7e60fd4aa40ca8bcb49f69b9e8e9cc5a44f4c4b03d6e3d38ff402bfd