121b5365768697cce30074b9097cccecced51feb5f991d89574cb8f0626c4804

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Credit confirmation.xls
Size

457KB
MD5

03b89a4337a09bc5d200b16ef43c8ec6
SHA1

e8154021f60ce06b321259df461e9bbfa468f345
SHA256

121b5365768697cce30074b9097cccecced51feb5f991d89574cb8f0626c4804
SHA512

337a96b68af23dbb07a0a22b82733f07a2b024ef4250326ed043528ea4b4ede82d9e1d873943487d73c185e5d47d6540a920682cfbbe8bd0c5ce7106b55e0b2d
SSDEEP

6144:ZZ+RwPONXoRjDhIcp0fDlavx+W26nAamxDun9zvCp4sJgXDHBMixiMK6G+ZFrTe2:kxu9bCfgXjpozwjTyYviDGnlQBs9zek

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	772	328	openfiles.exe	27

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	2116	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2496	hjv.exe
1028	hjv.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	EQNEDT32.EXE
772	openfiles.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 1028	2496	hjv.exe	36
PID 1028 set thread context of 328	1028	hjv.exe	27
PID 1028 set thread context of 772	1028	hjv.exe	37
PID 772 set thread context of 328	772	openfiles.exe	27

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2116	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	openfiles.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
328	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1028	hjv.exe
1028	hjv.exe
1028	hjv.exe
1028	hjv.exe
772	openfiles.exe
772	openfiles.exe
772	openfiles.exe
772	openfiles.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1028	hjv.exe
328	EXCEL.EXE
328	EXCEL.EXE
772	openfiles.exe
772	openfiles.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
328	EXCEL.EXE
328	EXCEL.EXE
328	EXCEL.EXE
1804	WINWORD.EXE
1804	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2496	2116	EQNEDT32.EXE	31
PID 2116 wrote to memory of 2496	2116	EQNEDT32.EXE	31
PID 2116 wrote to memory of 2496	2116	EQNEDT32.EXE	31
PID 2116 wrote to memory of 2496	2116	EQNEDT32.EXE	31
PID 1804 wrote to memory of 1464	1804	WINWORD.EXE	32
PID 1804 wrote to memory of 1464	1804	WINWORD.EXE	32
PID 1804 wrote to memory of 1464	1804	WINWORD.EXE	32
PID 1804 wrote to memory of 1464	1804	WINWORD.EXE	32
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 2496 wrote to memory of 1028	2496	hjv.exe	36
PID 328 wrote to memory of 772	328	EXCEL.EXE	37
PID 328 wrote to memory of 772	328	EXCEL.EXE	37
PID 328 wrote to memory of 772	328	EXCEL.EXE	37
PID 328 wrote to memory of 772	328	EXCEL.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Credit confirmation.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\openfiles.exe
  "C:\Windows\SysWOW64\openfiles.exe"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:772

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1464

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\hjv.exe
  "C:\Users\Admin\AppData\Roaming\hjv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\hjv.exe
    "C:\Users\Admin\AppData\Roaming\hjv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
fca8af0dc8436b9952fdf961f8c7f401

SHA1
ac194f887a84a4538985ece94daf59cea48fe65b

SHA256
477645c7b83bbde8bdcf6d066f0de596d5b02fd47c223f89dde7d86903338cf9

SHA512
ba0d8f654216d9530bec83aa011a3433cea27873be327ac60eb1244997995489db76e25077dead09fcd43009b05deda51fd37b30a33fff01c94ba3927e1c21d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
deab316815202949bc1a2e5598615ee6

SHA1
b4432c5d5c3c32dfded6d60b194e2f03e61ec88c

SHA256
6331d4bf2976861a88d7fef6958ebbbd629e168e163d99e5d2e8a83ab345627a

SHA512
bb27ba6b0ae24e84e0017afb7990edde464505afcb5ed2bb557281e216a00dcae0e0966c61b4095446bc24962de3499d2577e639de57eae720970e4edfaa1622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a0dd0c382974ee3ffac33bd8fa4a694

SHA1
036a8786d7564acd80b8a1339dd5a218b995e211

SHA256
133146cda3cfd4d7db520642a9e0e271fe04816f4694c569d2e7b399ba25503b

SHA512
c3a225a7695fa9a2d9f5c6a3c46906a58b59cd2de7d8abf2539bfd56ff37d64866c3944b25c4ecfcf5ed9bb9e2361e7a19a4a20a52c959ea8be5a27a016d0d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
f0af82f1f547d67f51cea98604d15572

SHA1
0d282669ae77fb6f3685d83a31bbfa7365d6e4f0

SHA256
a819c50c9442516aead6a9f7358abed7b57f45358ed697e2f5c6062e59b3f06d

SHA512
826ecc3a4a2f54124fbf6a5852eae0d1bc5b3d2547d5062a1dca7c1168739db2634a2ab19ff49f2d7618b36fc4647242fc9a6a9bc674bdb330a33d43ebb6d45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{96524DCF-4783-4E17-827D-B3529BAC71C2}.FSD

Filesize
128KB

MD5
dc2906283e38805c34e4b73a804b5751

SHA1
8b365f85ab6a61bf9e963b55a44d73b967327d1a

SHA256
dccfeb7f94bb5c70b9de0181d2eb9846dca7d7edd553b2a171b4029c4b3abc32

SHA512
59387d66a438a7cb0a4a684ccbc7a5229f4b7164678e5230004a1d73d9e4eb1a82729dbf46524f87c2d2b3867bd52ed6e1b42989adc8a5627b7952f2e2f2d5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b796745acc48381166c581de30c054b2

SHA1
19a5e14c3acd305a95f79b9cb2d57b7ffe895dca

SHA256
cda7723f66921fd003d1f7c3d539757d415c1e6c6e9c28a4f3703f720399a0ae

SHA512
99f29f433d36d2e74704ac80fdc573509efc2f544a45ab2ce03dbf44763ed67e33efb02bbe7ce5ed9b8729d600b1277461bac87f2d21c3c60e60cd1c869fda41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D65F96F9-4592-4323-8C51-F5AAE491E7EF}.FSD

Filesize
128KB

MD5
b9f2886f8b3bb8e8a2c79b3452382b04

SHA1
e8db2656d09a4edac92a4d63fdcdd55ec85e5243

SHA256
a9a6a72159629cd2ca99fb7886e41e15daeca9c70ceb004b347531db3bcf9d21

SHA512
1ae45ddc9ed4ce335876e15b3486833473064744dc0bfd1863ddecee20612319045bd6257e987c3187a64b0bb8574a5ff9eed5981153cdb57eddea9d7e15224b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\beautifulgirlreturntotheearthwithbeautifulthingstounderstandhowmuchshelovedmealwaysheismy___mygirlfriendmyheart[1].doc

Filesize
71KB

MD5
c8cf329159df0a375269f965aa181019

SHA1
c3f91d8cbac1083694922a9cf74c3cca27572372

SHA256
55b4b2b98e0d66e97dd11c53fc65cd29ad0ba3c0cca5582a57720855471e771a

SHA512
17aa78dacb7fe249b96685b3b277f41880e401e8e667edfed47db42e0cdf62f5f15baa5866c1bef7f9dfef2a532619e5db3eff0496dee6f556da98eadd796f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E45.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8l8mj.zip

Filesize
430KB

MD5
30a561abb006b9d5debdd51dab743700

SHA1
e19c8d436f5b6ed66db21e32020f5ab6406241ca

SHA256
62da7ad6252a7778f096d62d9485a97ac48f2f2d0258cecd471aaada98877fe2

SHA512
e48b51bb99083c7e9fd55e28c9c667bf9c6c7141c1b620ce71542849bfed53a92585897321831743e80a8eea3ac0c787ab091f742bf58b587a5e50f723443c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33CCB9EA-192C-45D2-B6D8-839F10698D61}

Filesize
128KB

MD5
3b5b1074c0b8bd34ebb06e1655cdc462

SHA1
e9462b2a592bce30b3f57b358a4218856878acd5

SHA256
35374e48c0e395c96f847a061d90d1c709a0ef41c9da85c48ae818f48b00c5cb

SHA512
1bf29d58cc76832b209e271ee92c06b62f8c9298531ae02a87b282bee8639ae2234b7f578dadbd9a61576a02b3f961f63fdc7b50e2dbbed2bdf37da720cbec45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
38B

MD5
95a44d37a68b7903cafafe1f1e01c613

SHA1
d2720be3e64742dc481bafac17c2cc0bd669d300

SHA256
19cdd96a5a97f0d7a8c029acec0a9c0fd82b504504137e248b92173e7d8f664c

SHA512
7906b7fd13158fdc625a60e0c32e2cbd03eb28376175ae259a735a6f938d153920c8b005dace8cd912c3740e1d37d3b14ca0510690c258a79effbd9b80624543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
64b096527cdd542b15443fc89d7ad8a6

SHA1
dc2138d2ab88673347f86709f872c1b903a696eb

SHA256
fdf2e6a77a0ef618d30975a000226b027f369d6fd404e621234a16bef9adfb71

SHA512
6f2cb3035b1e28237d94071954659d4efad58f842ca199813290ba8c7660533ce7a0a44649a3a3efffead2bd1326d6bf2bff6fabc2156739c2f352e3e1af916a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IEXD5CX3.txt

Filesize
70B

MD5
33e1f8e9ba6ac0f2a946013fe5b369fb

SHA1
2d19ad5d52d258a18b2e4fba0ae9947de4b35b86

SHA256
7b3b2c175664fd638fb6a8ab570c5a92feb16f59ada27d594353f9cfb335564d

SHA512
c038e08ccf77d7a9e4cfcc1aa2b13f86d353e0dfca2b56e3f4516e9dbb870b89da84ab5580213073d79882d70a2074727f65c4995ac2233ddae1b4b4c3b17226

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
820KB

MD5
317ba2f8e624ec0c7d3714e2bde4f346

SHA1
12734675cfad66d78252515644a624964f69f94d

SHA256
0c2093493424e885c297d613e0cf343d8a084253ca3b044415e14c6e94696877

SHA512
ecc4a6f951cd7958288b7de35b253475fcc0910f5385b0b38db872a412b547ef5d8e7056865d26ae46b3b027d8b0bb37aa25ec6cb1a67abd342799795bfd3b08

Download Submit
\Users\Admin\AppData\Roaming\hjv.exe

Filesize
713KB

MD5
ab84aba6447883abb3ec76e4535fd144

SHA1
c10795debc241c9aa0725f826f147bf6b27659f7

SHA256
64a2a4cddd63e700cf7ace6a00e02441e11c05bea68d9787d749d573cc6ee394

SHA512
c4424b9bf538fe1223079571417b73621e4fc788bc78e7daac91d0bf085f5792e64fa3075dfd9c309bad0fda9b2e005ad92e2a57e45e1b36dad713901c382f3c

Download Submit
memory/328-94-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/328-27-0x00000000023F0000-0x00000000023F2000-memory.dmp

Filesize
8KB

Download
memory/328-1-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/328-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/328-145-0x0000000007280000-0x0000000007356000-memory.dmp

Filesize
856KB

Download
memory/772-182-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/772-183-0x0000000061E00000-0x0000000061EBB000-memory.dmp

Filesize
748KB

Download
memory/772-144-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/772-143-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/1028-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1028-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1028-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1028-140-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1804-22-0x000000002F751000-0x000000002F752000-memory.dmp

Filesize
4KB

Download
memory/1804-24-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/1804-26-0x00000000044E0000-0x00000000044E2000-memory.dmp

Filesize
8KB

Download
memory/1804-107-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/1804-205-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-206-0x000000007283D000-0x0000000072848000-memory.dmp

Filesize
44KB

Download
memory/2496-135-0x0000000004C60000-0x0000000004CEA000-memory.dmp

Filesize
552KB

Download
memory/2496-134-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/2496-133-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2496-132-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/2496-130-0x00000000013E0000-0x0000000001498000-memory.dmp

Filesize
736KB

Download