remcos | aa82e4e3c64666daaf9da5f189250e969a04e9d7123e068af593b954139526b5

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

317KB
MD5

1add9332fa33abaa1f5253a056912f46
SHA1

99541661cad68c112b9a6c68708868cc3231cdb8
SHA256

aa82e4e3c64666daaf9da5f189250e969a04e9d7123e068af593b954139526b5
SHA512

da82bc5b6d71cbed3f579e227013c19d88ee2dabf2043d76089c3f609bdeb8d3677ce7faf790d752b7a179d99f58897ea32370f7ed752223147b460a56f74582
SSDEEP

6144:4jctZunlY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVGZMI3XmTJPukl5rAFc+:4jctsM3bVGZMInKPvBocrFs

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

22 1848 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 2 IoCs

Processes:

winnit.exeexcel.exe

pid process

920 winnit.exe
1056 excel.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEwinnit.exe

pid process

1848 EQNEDT32.EXE
920 winnit.exe

flow	pid	process
22	1848	EQNEDT32.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
920	winnit.exe
1056	excel.exe

pid	process
1848	EQNEDT32.EXE
920	winnit.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\winnit.exe	autoit_exe
\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

excel.exe

description pid process target process

PID 1056 set thread context of 2336 1056 excel.exe svchost.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1848 EQNEDT32.EXE

description	pid	process	target process
PID 1056 set thread context of 2336	1056	excel.exe	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1848	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2168 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

excel.exe

pid process

1056 excel.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

winnit.exeexcel.exe

pid process

920 winnit.exe
920 winnit.exe
1056 excel.exe
1056 excel.exe
1056 excel.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

winnit.exeexcel.exe

pid process

920 winnit.exe
920 winnit.exe
1056 excel.exe
1056 excel.exe
1056 excel.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2168 EXCEL.EXE
2168 EXCEL.EXE
2168 EXCEL.EXE
2416 WINWORD.EXE
2416 WINWORD.EXE
2168 EXCEL.EXE
2168 EXCEL.EXE
2168 EXCEL.EXE

pid	process
2168	EXCEL.EXE

pid	process
1056	excel.exe

pid	process
920	winnit.exe
920	winnit.exe
1056	excel.exe
1056	excel.exe
1056	excel.exe

pid	process
920	winnit.exe
920	winnit.exe
1056	excel.exe
1056	excel.exe
1056	excel.exe

pid	process
2168	EXCEL.EXE
2168	EXCEL.EXE
2168	EXCEL.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2168	EXCEL.EXE
2168	EXCEL.EXE
2168	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXEwinnit.exeexcel.exe

description	pid	process	target process
PID 2416 wrote to memory of 1776	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1776	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1776	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1776	2416	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 920	1848	EQNEDT32.EXE	winnit.exe
PID 1848 wrote to memory of 920	1848	EQNEDT32.EXE	winnit.exe
PID 1848 wrote to memory of 920	1848	EQNEDT32.EXE	winnit.exe
PID 1848 wrote to memory of 920	1848	EQNEDT32.EXE	winnit.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 920 wrote to memory of 1056	920	winnit.exe	excel.exe
PID 1056 wrote to memory of 2336	1056	excel.exe	svchost.exe
PID 1056 wrote to memory of 2336	1056	excel.exe	svchost.exe
PID 1056 wrote to memory of 2336	1056	excel.exe	svchost.exe
PID 1056 wrote to memory of 2336	1056	excel.exe	svchost.exe
PID 1056 wrote to memory of 2336	1056	excel.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1776

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Roaming\winnit.exe
"C:\Users\Admin\AppData\Roaming\winnit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Roaming\winnit.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\winnit.exe"
4⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
eb11aa9d12df66ab6fee0689fb297623

SHA1
37a42652f32256bc70e5f11d5e7ea536186eab3a

SHA256
1b4a4f38d0ebd935715d702d2bdb9689917a1d01e8fcfc23ad5ceb21163c1f43

SHA512
2ebd3d737d79041628538bf64bf7750edf1f47b8fc0ad22ade7f0f4a34be05b5ee1701ffc24c1e6830dff99ff1ac53de2aad15abaf3941385d2e131537206237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F2CAC9A3-282B-40A1-A83C-3E72E2EDDE85}.FSD
Filesize
128KB

MD5
b40e98715a7187a001c32fcdaaa0a405

SHA1
71ae5394ea200f62f90981d4ccdd11cd4c5dd329

SHA256
617de0fbb7a3ee3189f6f3a3433efd54fde25fa182db734c5938f88641dfbb4c

SHA512
5d3958186e7768179badb9289529783799e74a14be7cb23e517b40d833b9ef9732853d85983c235f9d5084326c969f279c4d4039ca072f7796ba31f280c02c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
28de441f55d137a856e3df037543c2e9

SHA1
c9372e0a827ab2559848502bef23e1e610e69fcb

SHA256
25bacff74bbd282cbaff32452006a7dd7684a861272407d18efe5654dd88b315

SHA512
30b29dc975bd68772f40fe4c90f6a63d43d04083e63badce45115a241d979a85e2f0b65c04dbfd252646dbe1b5b29c53684ddace30758520dc30d705483edc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{004A2899-223D-4DFA-9115-876FCA5E4A84}.FSD
Filesize
128KB

MD5
b5f137d9d964983eeb197a9a770e9876

SHA1
da39af50becd1e6e83bb9cd764fca527d06a972b

SHA256
a0ba33bd11b9dc1685a7e4562544a81fce729b3a2678064ba482b2eb0d90de32

SHA512
5c73777d446fc08514bdd2becec475e0f220ffa45c03f70b5d6d3ac1b2481a9e6f07649fadc9cc01df5a4804b6023ebb3c7846351c3a7edfc63ca5fa354f6c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\wecontactedloverstounderstandhowhotgirlchickessheisbutshesaidiamveryhotgirltokiss____whatabeautifulgirlsheistokissandenjoytheday[1].doc
Filesize
69KB

MD5
3d9950539df8ffe5a6ad65a287dd1abe

SHA1
8b9b0a3ab75e0d7747c6237df529f856452bf35a

SHA256
ade7914eb1ec3171d987bff5bf1bb486112a3ca0c2984599f68089e154692a7d

SHA512
2c51ec7576a80107c42367506375a643a01f5b14c9afb3455c02762d45624a8a17d44fb20c487cfffa2f51175ba4fc9102f290d41ee52d465dc86641cbd4e507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vevine
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrorrheuma
Filesize
28KB

MD5
479b8ebaed46c941e61868e8d2f665fe

SHA1
212b11543ef433b12a4c96eb48ee2348a5514639

SHA256
39269e1cfe05077ba3839634b50a95698173cf9e0e93fadf96d6a8710544d239

SHA512
29ef60024cbe7fcb3185c4ce3a2589bac41168a2b69caed22bd7d6d5ce8d3d52dc9aa991e7645e856be51cfe10f13907aa9e9798e82dbd38a767e4a0d50cd440

Download Submit
C:\Users\Admin\AppData\Local\Temp\{65B8333E-F864-4838-8209-861C65008FC6}
Filesize
128KB

MD5
d005dc8e99f64201026d4243ed7a494b

SHA1
2cf49c606a6d43a1784382ebf5651edf44c0ce4f

SHA256
30fce3cbd43eb21a4443ba37ce3df431c590a2da6bac801dc53d320913fd6292

SHA512
d527c21bf57cd6cde09436b7c20ceb8796bbd4ffef1f4676c664b2175b195129cda7f73a04f85c43ee516f096e8ab7362029d03b4d1ef59584b9ac38aa2382eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B6U4592A.txt
Filesize
71B

MD5
4818157d8d862c838757844f54049009

SHA1
339ef47260b3b1b0647aa7ca15d8ad77e9721dea

SHA256
6272964fddd526b4ed62cd379a811082bff7abef917a1699ce511405ca23b9e5

SHA512
2d4bc1a60b473699b5833589b88001c7d384d41014d90e939bbd3ef6a6a65ffed831d80726136e1d00f0ad760c2e7ae363b765a05eb193fd6bd944cf8180c802

Download Submit
C:\Users\Admin\AppData\Roaming\winnit.exe
Filesize
1.3MB

MD5
ae56732543285a58949d9075e09f6d27

SHA1
0ae46a2ff42a54a554da0572ccc46951b8dcf447

SHA256
b590ff3add4c1ebcacd534ee89ec429df2fc3c417b68e0440312fab4e8432ab2

SHA512
9ab19109c7d461e47539501b96eb1aa755b00a969e76b5e1c4afdaa1685b0f5788023a47b7dd70fe34949309a3a84dc3dc39658a72428c04270b801b00b4152c

Download Submit
\Users\Admin\AppData\Local\directory\excel.exe
Filesize
111.3MB

MD5
032f906fc2f3dd6f5deb8f2cf7c3e58b

SHA1
7067cd0b95276caa42407e4f9098b8882047dbd5

SHA256
afc352e156ad5edb0f642f1369fa052688edd2fd0375477f66f5b94873a30850

SHA512
16e2fa43d7a0e9fa38a7a65935144a5f4dba4a1dc5c105cebc9e034c26fc05c0f25e7438eace0dc817b82316cd4473fe593a43589b66e76c12db6b8916165382

Download Submit
memory/920-116-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/2168-27-0x0000000003040000-0x0000000003042000-memory.dmp

Filesize
8KB

Download
memory/2168-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2168-91-0x000000007273D000-0x0000000072748000-memory.dmp

Filesize
44KB

Download
memory/2168-1-0x000000007273D000-0x0000000072748000-memory.dmp

Filesize
44KB

Download
memory/2336-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2416-26-0x0000000003610000-0x0000000003612000-memory.dmp

Filesize
8KB

Download
memory/2416-92-0x000000007273D000-0x0000000072748000-memory.dmp

Filesize
44KB

Download
memory/2416-24-0x000000007273D000-0x0000000072748000-memory.dmp

Filesize
44KB

Download
memory/2416-22-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download