Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3MerekV3.08_Lite.rar
windows7-x64
4MerekV3.08_Lite.rar
windows10-2004-x64
7MerekV3.08...DME.md
windows7-x64
3MerekV3.08...DME.md
windows10-2004-x64
3MerekV3.08...10.pyc
windows7-x64
3MerekV3.08...10.pyc
windows10-2004-x64
3MerekV3.08...ts.bat
windows7-x64
1MerekV3.08...ts.bat
windows10-2004-x64
1MerekV3.08...10.pyc
windows7-x64
3MerekV3.08...10.pyc
windows10-2004-x64
3MerekV3.08...bot.py
windows7-x64
3MerekV3.08...bot.py
windows10-2004-x64
3MerekV3.08...st.zip
windows7-x64
1MerekV3.08...st.zip
windows10-2004-x64
1best/.data...ion_id
windows7-x64
1best/.data...ion_id
windows10-2004-x64
1best/byteorder
windows7-x64
1best/byteorder
windows10-2004-x64
1best/data.pkl
windows7-x64
3best/data.pkl
windows10-2004-x64
3best/data/0
windows7-x64
1best/data/0
windows10-2004-x64
1best/data/1
windows7-x64
1best/data/1
windows10-2004-x64
1best/data/10
windows7-x64
1best/data/10
windows10-2004-x64
1best/data/100
windows7-x64
1best/data/100
windows10-2004-x64
1best/data/101
windows7-x64
1best/data/101
windows10-2004-x64
1best/data/102
windows7-x64
1best/data/102
windows10-2004-x64
1Analysis
-
max time kernel
507s -
max time network
368s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
MerekV3.08_Lite.rar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
MerekV3.08_Lite.rar
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
MerekV3.08 Lite/Merek Aimbot/README.md
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
MerekV3.08 Lite/Merek Aimbot/README.md
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
MerekV3.08 Lite/Merek Aimbot/__pycache__/keyauth.cpython-310.pyc
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
MerekV3.08 Lite/Merek Aimbot/__pycache__/keyauth.cpython-310.pyc
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
MerekV3.08 Lite/Merek Aimbot/install_requirements.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
MerekV3.08 Lite/Merek Aimbot/install_requirements.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
MerekV3.08 Lite/Merek Aimbot/lib/__pycache__/aimbot.cpython-310.pyc
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral10
Sample
MerekV3.08 Lite/Merek Aimbot/lib/__pycache__/aimbot.cpython-310.pyc
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
MerekV3.08 Lite/Merek Aimbot/lib/aimbot.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
MerekV3.08 Lite/Merek Aimbot/lib/aimbot.py
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
MerekV3.08 Lite/Merek Aimbot/lib/best.zip
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
MerekV3.08 Lite/Merek Aimbot/lib/best.zip
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
best/.data/serialization_id
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral16
Sample
best/.data/serialization_id
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
best/byteorder
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
best/byteorder
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
best/data.pkl
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
best/data.pkl
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
best/data/0
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
best/data/0
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
best/data/1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
best/data/1
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
best/data/10
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
best/data/10
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
best/data/100
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral28
Sample
best/data/100
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
best/data/101
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
best/data/101
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
best/data/102
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
best/data/102
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
MerekV3.08_Lite.rar
-
Size
6.0MB
-
MD5
f2bd1f51b61709643431a7b76fe711d3
-
SHA1
6a2b399f69060f506b57e9086cd885f5a97e53b3
-
SHA256
98b52813707d4293c6150cd7e602240ad1ca266807c3c7225f2a3dbf6de7a13d
-
SHA512
473bd23c632b6153e670b0576e56d842eef2fac7efd2622c6205e478c41d34f525dc50b7ad7a7f6c62e131d6d45ece2f982bbb15291b3aff8262a0f95400396c
-
SSDEEP
98304:/1nBT6FapjeZ+FOT5YFUbnppHpMlr5QwlUPwR6KF8IlSezJZQIDb+3wrahHR/w4a:/1nBXqZ+MlsUbppH21lU4R6KFjxVZHz5
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1540 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2656 7zFM.exe 2812 rundll32.exe 2888 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 2656 7zFM.exe Token: 35 2656 7zFM.exe Token: SeSecurityPrivilege 2656 7zFM.exe Token: 33 3044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3044 AUDIODG.EXE Token: 33 3044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3044 AUDIODG.EXE Token: SeRestorePrivilege 2924 7zG.exe Token: 35 2924 7zG.exe Token: SeSecurityPrivilege 2924 7zG.exe Token: SeSecurityPrivilege 2924 7zG.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2656 7zFM.exe 2656 7zFM.exe 2924 7zG.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1984 AcroRd32.exe 1984 AcroRd32.exe 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2656 1680 cmd.exe 29 PID 1680 wrote to memory of 2656 1680 cmd.exe 29 PID 1680 wrote to memory of 2656 1680 cmd.exe 29 PID 2812 wrote to memory of 1984 2812 rundll32.exe 43 PID 2812 wrote to memory of 1984 2812 rundll32.exe 43 PID 2812 wrote to memory of 1984 2812 rundll32.exe 43 PID 2812 wrote to memory of 1984 2812 rundll32.exe 43 PID 2888 wrote to memory of 1540 2888 rundll32.exe 45 PID 2888 wrote to memory of 1540 2888 rundll32.exe 45 PID 2888 wrote to memory of 1540 2888 rundll32.exe 45 PID 2888 wrote to memory of 1540 2888 rundll32.exe 45 PID 1540 wrote to memory of 748 1540 WINWORD.EXE 48 PID 1540 wrote to memory of 748 1540 WINWORD.EXE 48 PID 1540 wrote to memory of 748 1540 WINWORD.EXE 48 PID 1540 wrote to memory of 748 1540 WINWORD.EXE 48
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MerekV3.08_Lite.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MerekV3.08_Lite.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2656
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5441⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\merek.py1⤵
- Modifies registry class
PID:2908
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\start.bat" "1⤵PID:1824
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\lib\best\" -ad -an -ai#7zMap570:130:7zEvent130041⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2924
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\lib\best\best\data\01⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\lib\best\best\data\0"2⤵
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\lib\best\best\data\01⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MerekV3.08 Lite\Merek Aimbot\lib\best\best\data\0"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5af3c08402ed7adce6509a46e14e80404
SHA13366b883a2867fea070dda6341521b0e47d3e58e
SHA256298525255ca2fc00aebf18d3168bcec0a9ec04430de6ed8253e61c58a3a81870
SHA51294e1d98b84b677ec710f1d753fb89a86dd43a8a9132156cb8032fdeeb62d2a1ccea8e771aa0744e490b13167ff3b27d3dff420f44d5757b46c74ad31b1868218
-
Filesize
3KB
MD5cc57c80a309157575c6fddfd6aa45271
SHA10fa18c4baf860c6c317d850e6fcf3254971d0ee7
SHA2567a5a259af2830d09432e6c0143447ba85a20d1019860665dcbdd1d729cf50947
SHA512beb6fc39a7e95c84d7746d68f51af9970ca70216ff4f96801968918b5967c48bb203dd98434f1734f40322e650f3b34ed8ef904bb22b05126ef1a603fc64f929
-
Filesize
8B
MD533cdeccccebe80329f1fdbee7f5874cb
SHA13da89ee273be13437e7ecf760f3fbd4dc0e8d1fe
SHA2567c9fa136d4413fa6173637e883b6998d32e1d675f88cddff9dcbcf331820f4b8
SHA512991294f43425a5b80f8a5907ca7cdbb611401282585a58bb415077005428e3b4c0f661fc07ba5c45f627bd8bdcb172389ce2fda461c029b837abc70f0abbea20
-
Filesize
22B
MD537c4f262dabdf01445d615d1354fddd3
SHA1e044e64cee96c0dc2ddadd1c2b9e422869f85498
SHA256165ccde119e16783475aefa4915ac1f7e251fbbd4c37be85cad3fb2fe87cbb73
SHA512bf8bf1826f1ef8f6669d099f0177532fe9128e3b02ed22c338085e6338c3c8b0d87cd7a4dac49e56d43f9a21dcdf0ffc21d408efbe96879387468de05b5a16b5