guloader | 1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
Size

709KB
MD5

79021e344431dfff5aa6547f543b4337
SHA1

75f6cad7afe2ba456fb3413d68d79257d798ba07
SHA256

1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c
SHA512

985473692be9809f9ef1729aec2847b9b98202e98b429739631efe3a223b9054fa5851da948f95b4c3d9d99c4533c1b7e98fc9a5b70721fba8646f6ca0af9c2e
SSDEEP

12288:1opI6Gm4TM8Nju/GZ34DGltz2BRJON0eIC8vHAX5TtL+i1GFRz6u:1opIOn/GZUGKhfAXNtDkFj

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2156	18234.exe
2128	QQ.exe

Loads dropped DLL 5 IoCs

pid	Process
2156	18234.exe
808	wab.exe
2128	QQ.exe
2128	QQ.exe
896	QQ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ragelses = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Jevgenij\\Salderendes.exe"	wab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Tjenerskab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Kirkegangens\\Antiadiaphorist236.exe"	QQ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\forementioned\kirstis.ini	QQ.exe
File opened for modification	C:\Windows\SysWOW64\forementioned\kirstis.ini	18234.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2156	18234.exe
808	wab.exe
2128	QQ.exe
896	QQ.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 808	2156	18234.exe	56
PID 2128 set thread context of 896	2128	QQ.exe	59

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str	18234.exe
File opened for modification	C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str	QQ.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Dagsarbejdes.fin	18234.exe
File opened for modification	C:\Windows\resources\0409\nuncupating.Enf	QQ.exe
File opened for modification	C:\Windows\Fonts\Dagsarbejdes.fin	QQ.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\resources\0409\nuncupating.Enf	18234.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Kills process with taskkill 2 IoCs

evasion

pid	Process
2468	taskkill.exe
2532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
348	WINWORD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
348	WINWORD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2156	18234.exe
2128	QQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
348	WINWORD.EXE
348	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2468	2000	wscript.exe	28
PID 2000 wrote to memory of 2468	2000	wscript.exe	28
PID 2000 wrote to memory of 2468	2000	wscript.exe	28
PID 2000 wrote to memory of 2532	2000	wscript.exe	31
PID 2000 wrote to memory of 2532	2000	wscript.exe	31
PID 2000 wrote to memory of 2532	2000	wscript.exe	31
PID 2000 wrote to memory of 2640	2000	wscript.exe	33
PID 2000 wrote to memory of 2640	2000	wscript.exe	33
PID 2000 wrote to memory of 2640	2000	wscript.exe	33
PID 2000 wrote to memory of 2716	2000	wscript.exe	35
PID 2000 wrote to memory of 2716	2000	wscript.exe	35
PID 2000 wrote to memory of 2716	2000	wscript.exe	35
PID 2000 wrote to memory of 2612	2000	wscript.exe	37
PID 2000 wrote to memory of 2612	2000	wscript.exe	37
PID 2000 wrote to memory of 2612	2000	wscript.exe	37
PID 2000 wrote to memory of 2128	2000	wscript.exe	39
PID 2000 wrote to memory of 2128	2000	wscript.exe	39
PID 2000 wrote to memory of 2128	2000	wscript.exe	39
PID 2000 wrote to memory of 2392	2000	wscript.exe	41
PID 2000 wrote to memory of 2392	2000	wscript.exe	41
PID 2000 wrote to memory of 2392	2000	wscript.exe	41
PID 2000 wrote to memory of 2496	2000	wscript.exe	43
PID 2000 wrote to memory of 2496	2000	wscript.exe	43
PID 2000 wrote to memory of 2496	2000	wscript.exe	43
PID 2000 wrote to memory of 1904	2000	wscript.exe	45
PID 2000 wrote to memory of 1904	2000	wscript.exe	45
PID 2000 wrote to memory of 1904	2000	wscript.exe	45
PID 2000 wrote to memory of 2900	2000	wscript.exe	47
PID 2000 wrote to memory of 2900	2000	wscript.exe	47
PID 2000 wrote to memory of 2900	2000	wscript.exe	47
PID 2000 wrote to memory of 352	2000	wscript.exe	49
PID 2000 wrote to memory of 352	2000	wscript.exe	49
PID 2000 wrote to memory of 352	2000	wscript.exe	49
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 2000 wrote to memory of 2156	2000	wscript.exe	51
PID 352 wrote to memory of 348	352	cmd.exe	52
PID 352 wrote to memory of 348	352	cmd.exe	52
PID 352 wrote to memory of 348	352	cmd.exe	52
PID 352 wrote to memory of 348	352	cmd.exe	52
PID 348 wrote to memory of 1868	348	WINWORD.EXE	55
PID 348 wrote to memory of 1868	348	WINWORD.EXE	55
PID 348 wrote to memory of 1868	348	WINWORD.EXE	55
PID 348 wrote to memory of 1868	348	WINWORD.EXE	55
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 2156 wrote to memory of 808	2156	18234.exe	56
PID 808 wrote to memory of 2128	808	wab.exe	58
PID 808 wrote to memory of 2128	808	wab.exe	58
PID 808 wrote to memory of 2128	808	wab.exe	58
PID 808 wrote to memory of 2128	808	wab.exe	58
PID 2128 wrote to memory of 896	2128	QQ.exe	59
PID 2128 wrote to memory of 896	2128	QQ.exe	59
PID 2128 wrote to memory of 896	2128	QQ.exe	59
PID 2128 wrote to memory of 896	2128	QQ.exe	59
PID 2128 wrote to memory of 896	2128	QQ.exe	59
PID 2128 wrote to memory of 896	2128	QQ.exe	59

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im winword.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im winword.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
  2⤵
  PID:2640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
  2⤵
  PID:2716
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
  2⤵
  PID:2612
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
  2⤵
  PID:2128
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
  2⤵
  PID:2392
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
  2⤵
  PID:2496
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
  2⤵
  PID:1904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
  2⤵
  PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" /MAX winword "C:\Users\Admin\56769.docx"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\56769.docx"
    3⤵
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1868
- C:\Users\Admin\18234.exe
  "C:\Users\Admin\18234.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Users\Admin\18234.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\QQ.exe
      "C:\Users\Admin\AppData\Local\Temp\QQ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\QQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QQ.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\18234.exe

Filesize
497KB

MD5
b3e117728535ed7edad599e698cafbc2

SHA1
2ea334afa266e29515855f809627b09c032168e8

SHA256
9e3c4a258c4f20711f53dda2f00dacf9a6ae3a673cd2b8d54b4811fe4fd62bf7

SHA512
d964fada7344bdf95964dc7159b4b1c550d6c6d0c35263c96f7b32bd489cf38f796198bb97548dd6868ef09f72e8ab273208c33e981419b85c506acbad436b29

Download Submit
C:\Users\Admin\56769.docx

Filesize
9KB

MD5
86b537f94078514245fe7b6275ed5531

SHA1
54f72b7333b6a576ea33459caf8b2724f62a6c53

SHA256
5c0bb327dcac9c309285814c460a54f91b83ee4a7c693bc6ec2aa2ae8c012eb2

SHA512
93ab12385c7ab86d561d705c8cbf17da49c16686aa2262b7b9a4a98ed4e307f5908efa8004f619bb019768989d2368834e20a18c723602454e4728ef31a34272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
7a6ead7f1175b4240692dea600dda4e2

SHA1
ae05512ba98cae7806d24f9ced51c5b84bc03429

SHA256
ea1376ba97257a6d088b977ce57ea3ea0c7352893c23484e6111f091465641e8

SHA512
d30f66c4b5aa51ce10972f414bc43b6dc90aac39d217f1efad380375d0ef61e00f58269da7b6161f8a8ec9f5ba3bf02035bdb0fa4acef6ec7d68b75c3d9183bd

Download Submit
\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
469KB

MD5
46bbacb63c2f6c440be347e99210c3a3

SHA1
8b3f6920bf657fd1973069540ec5990b2033e69a

SHA256
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e

SHA512
f51dafe7612d294a70872064d9c8b1352598def99242134e4dd5aa03ef62614d3222d5b430a8bb26fa63b7e177ec7229467bae58b1e86a0775a052dcab38f7d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3F72.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
memory/348-22-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

Filesize
4KB

Download
memory/348-24-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/348-25-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/348-237-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/348-106-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/808-105-0x0000000000590000-0x000000000290B000-memory.dmp

Filesize
35.5MB

Download
memory/808-107-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/808-109-0x0000000077380000-0x0000000077456000-memory.dmp

Filesize
856KB

Download
memory/808-111-0x00000000773B6000-0x00000000773B7000-memory.dmp

Filesize
4KB

Download
memory/808-112-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/808-193-0x0000000000590000-0x000000000290B000-memory.dmp

Filesize
35.5MB

Download
memory/896-204-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/896-200-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/896-205-0x00000000014F0000-0x0000000002700000-memory.dmp

Filesize
18.1MB

Download
memory/896-199-0x00000000014F0000-0x0000000002700000-memory.dmp

Filesize
18.1MB

Download
memory/2128-198-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2128-197-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/2128-192-0x0000000003E90000-0x00000000050A0000-memory.dmp

Filesize
18.1MB

Download
memory/2128-203-0x0000000003E90000-0x00000000050A0000-memory.dmp

Filesize
18.1MB

Download
memory/2128-218-0x0000000003E90000-0x00000000050A0000-memory.dmp

Filesize
18.1MB

Download
memory/2156-108-0x0000000003DD0000-0x000000000614B000-memory.dmp

Filesize
35.5MB

Download
memory/2156-104-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2156-103-0x0000000077380000-0x0000000077456000-memory.dmp

Filesize
856KB

Download
memory/2156-213-0x0000000003DD0000-0x000000000614B000-memory.dmp

Filesize
35.5MB

Download
memory/2156-102-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/2156-100-0x0000000003DD0000-0x000000000614B000-memory.dmp

Filesize
35.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads