Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 21:11
Static task
static1
Behavioral task
behavioral1
Sample
63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe
Resource
win10v2004-20240226-en
General
-
Target
63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe
-
Size
87KB
-
MD5
ab639eb2eecd4b4724a4920128ae5c7e
-
SHA1
fc8a04433be9a046a02e86e1c7d444ff33521836
-
SHA256
63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0
-
SHA512
5dc4d1329c64c072d206e4d834291fbc54fb68b2924aa99e260e069f7c588d9396dfed291fba80ebd8ff49fa254f1479e6714cbe18973c05ad5066bd95c19cfa
-
SSDEEP
1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIy:08dfX7y9DZ+N7eB+IIy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe -
Executes dropped EXE 12 IoCs
pid Process 2616 SVCHOST.EXE 1804 SVCHOST.EXE 3548 SVCHOST.EXE 4564 SVCHOST.EXE 4388 SVCHOST.EXE 4028 SPOOLSV.EXE 4912 SVCHOST.EXE 3628 SVCHOST.EXE 3852 SPOOLSV.EXE 1148 SPOOLSV.EXE 1792 SVCHOST.EXE 1864 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened for modification F:\Recycled\desktop.ini 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\K: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\V: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\S: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\Y: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\N: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Z: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\I: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\Q: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\H: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\T: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\R: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\W: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\O: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\P: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\U: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\G: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\J: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\L: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\E: 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\QuickTip = "prop:Type;Size" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\TileInfo = "prop:Type;Size" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1052 WINWORD.EXE 1052 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2616 SVCHOST.EXE 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 3548 SVCHOST.EXE 4028 SPOOLSV.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1052 WINWORD.EXE 1052 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 2616 SVCHOST.EXE 1804 SVCHOST.EXE 3548 SVCHOST.EXE 4564 SVCHOST.EXE 4388 SVCHOST.EXE 4028 SPOOLSV.EXE 4912 SVCHOST.EXE 3628 SVCHOST.EXE 3852 SPOOLSV.EXE 1148 SPOOLSV.EXE 1792 SVCHOST.EXE 1864 SPOOLSV.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2616 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 96 PID 2128 wrote to memory of 2616 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 96 PID 2128 wrote to memory of 2616 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 96 PID 2616 wrote to memory of 1804 2616 SVCHOST.EXE 97 PID 2616 wrote to memory of 1804 2616 SVCHOST.EXE 97 PID 2616 wrote to memory of 1804 2616 SVCHOST.EXE 97 PID 2616 wrote to memory of 3548 2616 SVCHOST.EXE 98 PID 2616 wrote to memory of 3548 2616 SVCHOST.EXE 98 PID 2616 wrote to memory of 3548 2616 SVCHOST.EXE 98 PID 3548 wrote to memory of 4564 3548 SVCHOST.EXE 99 PID 3548 wrote to memory of 4564 3548 SVCHOST.EXE 99 PID 3548 wrote to memory of 4564 3548 SVCHOST.EXE 99 PID 3548 wrote to memory of 4388 3548 SVCHOST.EXE 100 PID 3548 wrote to memory of 4388 3548 SVCHOST.EXE 100 PID 3548 wrote to memory of 4388 3548 SVCHOST.EXE 100 PID 3548 wrote to memory of 4028 3548 SVCHOST.EXE 101 PID 3548 wrote to memory of 4028 3548 SVCHOST.EXE 101 PID 3548 wrote to memory of 4028 3548 SVCHOST.EXE 101 PID 4028 wrote to memory of 4912 4028 SPOOLSV.EXE 102 PID 4028 wrote to memory of 4912 4028 SPOOLSV.EXE 102 PID 4028 wrote to memory of 4912 4028 SPOOLSV.EXE 102 PID 4028 wrote to memory of 3628 4028 SPOOLSV.EXE 103 PID 4028 wrote to memory of 3628 4028 SPOOLSV.EXE 103 PID 4028 wrote to memory of 3628 4028 SPOOLSV.EXE 103 PID 4028 wrote to memory of 3852 4028 SPOOLSV.EXE 104 PID 4028 wrote to memory of 3852 4028 SPOOLSV.EXE 104 PID 4028 wrote to memory of 3852 4028 SPOOLSV.EXE 104 PID 2616 wrote to memory of 1148 2616 SVCHOST.EXE 105 PID 2616 wrote to memory of 1148 2616 SVCHOST.EXE 105 PID 2616 wrote to memory of 1148 2616 SVCHOST.EXE 105 PID 2128 wrote to memory of 1792 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 106 PID 2128 wrote to memory of 1792 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 106 PID 2128 wrote to memory of 1792 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 106 PID 2128 wrote to memory of 1864 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 107 PID 2128 wrote to memory of 1864 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 107 PID 2128 wrote to memory of 1864 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 107 PID 2128 wrote to memory of 1052 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 110 PID 2128 wrote to memory of 1052 2128 63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe"C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3628
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3852
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:81⤵PID:924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD58686653f5abe20fdb50edd99a9341a3d
SHA10029c293632413ee4d98a606fdf212789ce250e6
SHA256e3b4a33c647a5a887cdc1aa8a619341f15e7e8f70052d8ae8bd0156c51a040b2
SHA512f8aeffe754f9c3e21005fd8f06c87c699f9ad1ce16952ad38d7e909bbac15a89e4f46fb1814f3f66d9acfc377bf69edfc2f95158eddb09ae7192e6dfae549eb7
-
Filesize
87KB
MD571e85656fe56e87ca54373387cf78fe1
SHA16d27826b9394d4a7b52a1e963f63f46900f8724e
SHA2562f498b6ae9837366d01727805eb4561223d3227064893924b43beb2fa26216bf
SHA5127779d2c45d1dde35adb4adae47c2737679c79f2d188ec0b7684084263d375ac26298eb45cae48058599fb41f461312789583a936cc1529ba8feb69f7f46299de
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
87KB
MD5104385f2606c2e28389addc2556fadcc
SHA1b6af3bf1bf8207a2f72cbeb47e710d3a5fc366d1
SHA256a97bf279830c9b17c5362fad05002b13a737f433ee8995a22f35d07f25cd48be
SHA512638cce4ae23dbfd6e32c5f254f61a7a2abda41299d7c0902af2f84249665bddef47abe90e07dc2878e0f53293fd2d5340860ad7ddbad7470329f5cdb348227b4
-
Filesize
87KB
MD5638dd3a7ff998132075ec4f6230890b6
SHA14ad777f5f8864130a751fba8332efa1be8c8271a
SHA256c0e376778243f4f36c714e6a7dc0dd5e50003fbf8fffc61f757271b4fa32819a
SHA512a1450e81a857e6c94bbd477b2897caf47fe9bc7dda782203790ef4546d2d72eb88e7b80607829fc044b8b333e22397c3b2a0cee0187fe87f26acabf7c6695f4e
-
Filesize
87KB
MD528f12a37081a1119acf9f4f730583c29
SHA16438ebe4b110d335f85f8e9eab6fb46a5a54c8df
SHA256956316c5c947f0cc0c36d7ed404cb9c2ecf96dbb97ee97110d3a137774c2f747
SHA512de5ca31704dffb7ea3953987b5047605ba59407e1fea117225e43e23243c445ed7d847cfbd2cb8f3367e4a4069bd2e9551ff04f4b42f68c08a63c2e4dcff17ac
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
87KB
MD50004f3f092f5e824e9f0c90e03b10102
SHA11649c8e540431cc5c3d3fbb4a77329ef3b13bd2e
SHA2566193e572fd5d979b907d4ec5c24018c08d4ba42d79adea063b96e424994a6bcb
SHA5122550b5b957172ebdeb9c3bba5182d5f71b71a427fdd0419e84665a35fdf5cc88ff68bb28f1805a7133249725604005ac7336368b35ca9bdf053aff38a5c63dcd