f9fe3dafa329a6dee118fa58c8f4b5e09f6a1ddc872159762a338a144b9857e8

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

445KB
MD5

25e87c4070d459f5259b60dbe6c985bb
SHA1

ae2d0882d9630798c061cc2a54ed8a913d289fce
SHA256

c580a88c58ac898f5090dab9be5249fdfb2e1b4dfaaf4646224edab76be63fea
SHA512

06fb28d697ddb01a7e7d29e330fd74d9c48261cea9ad7771e17497b2639871c8c1b40a11cad22c901e8674caf75630158dc34f191191115699f37ee7f3e5825e
SSDEEP

6144:iw+R+VrYjQf/KOgzTrMzWdKT1f/5dWDquH2sJgHvKr8e0lYx6kgIHsL:cEVrZf/ATwzbS2mgPlyzdHu

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000013af3-57.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2104	kspoold.exe
2628	kspoold.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	sample.exe
1084	sample.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001211c-2.dat	upx
behavioral1/memory/1084-3-0x0000000002880000-0x000000000291F000-memory.dmp	upx
behavioral1/memory/2104-11-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2104-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/files/0x0008000000013af3-57.dat	upx
behavioral1/memory/2628-85-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-101-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-120-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-156-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-176-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-226-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-261-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-281-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-315-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-364-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-405-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-437-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-488-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-508-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2628-542-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 5 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	kspoold.exe
File opened (read-only)	\??\G:	kspoold.exe
File opened (read-only)	\??\H:	kspoold.exe
File opened (read-only)	\??\I:	kspoold.exe
File opened (read-only)	\??\J:	kspoold.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kspoold.exe	sample.exe
File created	C:\Windows\SysWOW64\avmeter32.dll	kspoold.exe
File opened for modification	C:\Windows\SysWOW64\avmeter32.dll	kspoold.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3044	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	WINWORD.EXE
3044	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2104	1084	sample.exe	28
PID 1084 wrote to memory of 2104	1084	sample.exe	28
PID 1084 wrote to memory of 2104	1084	sample.exe	28
PID 1084 wrote to memory of 2104	1084	sample.exe	28
PID 1084 wrote to memory of 3044	1084	sample.exe	30
PID 1084 wrote to memory of 3044	1084	sample.exe	30
PID 1084 wrote to memory of 3044	1084	sample.exe	30
PID 1084 wrote to memory of 3044	1084	sample.exe	30
PID 1084 wrote to memory of 2764	1084	sample.exe	31
PID 1084 wrote to memory of 2764	1084	sample.exe	31
PID 1084 wrote to memory of 2764	1084	sample.exe	31
PID 1084 wrote to memory of 2764	1084	sample.exe	31
PID 3044 wrote to memory of 2484	3044	WINWORD.EXE	33
PID 3044 wrote to memory of 2484	3044	WINWORD.EXE	33
PID 3044 wrote to memory of 2484	3044	WINWORD.EXE	33
PID 3044 wrote to memory of 2484	3044	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\kspoold.exe
  "C:\Windows\system32\kspoold.exe" /INSTALL /SILENT
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\sample.exe"
  2⤵
  - Deletes itself
  PID:2764

C:\Windows\SysWOW64\kspoold.exe
C:\Windows\SysWOW64\kspoold.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sample.doc

Filesize
122KB

MD5
f315a017e56c55660fafa9a69465a496

SHA1
e8d959768a451519bb915c375dd15ab05361a841

SHA256
737a149bfe1c0e12bee77399f2e7e93c397be7c2e7c389682eadc69fec4877f6

SHA512
cbbb50c9325d598cc287de8a8c9f0b03e14e833439065574a7d0c133e6e8150c1fbc116893869ec8801f337b30fe024e91eff06914923c3f64a154eabf382f57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
b37cf5831d085a879d8b8a634dcc612f

SHA1
4509bfa63beb1f6d16c717501c174c5e237441fc

SHA256
11d19bf7532f39477baa3b976e95d12e00d0bf6a9584d1c5e7dd50b6a0f6e810

SHA512
567d1aad53bbce1eca6a28c6c8e5f8a0d916f3352124bae094707dbdfb822649a19dc1baff5d206c7c672f026945ef7be85d84a08eefa1157846d69636019e6d

Download Submit
C:\Windows\SysWOW64\avmeter32.dll

Filesize
59KB

MD5
11c600c13b4c72c6cbd405ffaceb110f

SHA1
e343dc7af59b8e3262175f15f7e2610bdaa85038

SHA256
a3ee82335395e9c85173cde936c8b8ca62de4ab5bc23a231f73821038d628c69

SHA512
d6cfec1d588be67b1e9ffbd0b5d531aac1eae587c49677310b323a9fa152bc99b013315ebc55ea895dd072e8909a6ceb7daf12bb5e55c57008ce6cd7ad279def

Download Submit
C:\Windows\Temp\KSPOOLD.TXT

Filesize
4KB

MD5
d1adbc16f9fd17b0077a4a96020eac24

SHA1
88bf9c5236e3b90ddee17434149b1cdb07992339

SHA256
1c6b480ca8fec16ec6180a239933f5b97d40386b1a253ad5fe46e88669927bfc

SHA512
689787777868d330c534eac145c655f28c9d0ff086a23e87e89092501e91f5a31506016379e433b2db6ad1caa82155ea2aad074b5a38ff3ef272b9f6ae3caebb

Download Submit
C:\Windows\Temp\KSPOOLD.TXT

Filesize
677B

MD5
e59dbc0d0b4814faba3ce0432ae6d1b6

SHA1
56bb4c80ab972d2c6339e4d238c122f918f5e4e0

SHA256
70743c60ee22429e6c3271ee76509495a4f85de4579c2e30e6eb0717f0bf8423

SHA512
ff71992b0d093310d2f094f55ab8902c9f1a99b40947ccfb27b8f6bbec72949dd34e5201203d3ea3d4a49a484ee8f4548557b8ca06579c76006709ce70f15369

Download Submit
C:\Windows\Temp\UninstallC.TMP

Filesize
1KB

MD5
16e0fd5af45ceb02ce13f310b84337c7

SHA1
8552ddee69def6eb532b56b3f7f03144c3315076

SHA256
ad71afb4630b7bf40364b0dc49defc01ea6f0da2f6c362e855af77dfb3e3befc

SHA512
f95af26a617e627e3b9f7a8bac4472dcf36c019854aca6b318895ae00f92029d9800268d0c575e0efcf213bcfbf78a17c1949d1a69b773511902c9d1d9e06c34

Download Submit
C:\Windows\Temp\UninstallC.TMP

Filesize
841B

MD5
f8ffd5768ee8ce0115596c1560637e1a

SHA1
62b293e5dbc28f12791d7b51699e8eeac9468d94

SHA256
6c5ffbc90ee86375412d657757f22b3f476dad34ca1c50d7c9b6dae4f8b1cf54

SHA512
0ec24b8e1a8351e560ff93a26cbca0cdcdb5d840a2c59d2b42e0411270d3374897a535e9fcd7ca49dcd44947c105aabf8841a3d65a09108f6e41c2f76c998e3d

Download Submit
C:\Windows\Temp\UninstallC.TMP

Filesize
713B

MD5
5d4164abc08b2823f06a6113d9dbe75d

SHA1
f7b73f3c99bdace738efd1de6a881b6ec8cbfe9d

SHA256
214b3f55f7838b1af4696aaca72c24067b8db529eea4f2ae5e21db60ae74963d

SHA512
2d9cfaaf8c4eb92cfa896fe1bd4e40e2ae675b77b5c8461766b958f699f519f9ec95678980ecc8b4ed49e8608bc59631b6b0118861c35ac05a5ccebd2f37b31d

Download Submit
C:\Windows\Temp\UninstallC.TMP

Filesize
457B

MD5
8e5ebc16d9673b9bd4048b0bc68bbb21

SHA1
3276168e09260176f7919de76bf14274d7e07326

SHA256
4fefdaf553b47df63ad1adfd3df6b18c6001ed1e5a8aaa5cf49489b6bbf7481d

SHA512
ef6cb652d9dcc371c85b2fa16755421c8858e0551efd1d436d921196b1f11222f328f4568097e438c8b37b06989fd14549715aab365d7a8e0113ef19d73175ab

Download Submit
C:\Windows\Temp\UninstallC.TMP

Filesize
285B

MD5
d2b61993912e2bbf3774ac147fd3e078

SHA1
7f9c0d7d29d385afe8035d228734c49039fd03b2

SHA256
c9624931428b63e7bc5fd4148e5644592eaeac01ee6440a899afbbe700247e39

SHA512
2e24900dfc39c7a3203db61603f9cabee406b4cdc3a43bbb16e88f8b30d61d29d8fe6e21b8e2e8e5b672ebd22a87091c645e248f32c23cbb3af9ead0ca9d53dd

Download Submit
\Windows\SysWOW64\kspoold.exe

Filesize
278KB

MD5
cf36d2c3023138fe694ffe4666b4b1b2

SHA1
08cd6314e99d1091c71bc21b6da680522ca6a161

SHA256
06eb602792cbe8fd01002eb34898bfd78beac30ce2b0384bd90f64db95f72afc

SHA512
b118ffc93f5a4be0f3e80cfdba4fda0af98d310db7a05d1ada1fdc6b7ca0f5041ab6132a227367215e3c4e66bf6f3aecec45caf625bb93609705ea25cfb66df3

Download Submit
memory/1084-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1084-3-0x0000000002880000-0x000000000291F000-memory.dmp

Filesize
636KB

Download
memory/2104-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2104-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2104-11-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-405-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-101-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-156-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-176-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-226-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-261-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-281-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-315-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-364-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-120-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2628-542-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-85-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-437-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-508-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2628-488-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3044-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3044-37-0x00000000713FD000-0x0000000071408000-memory.dmp

Filesize
44KB

Download
memory/3044-29-0x000000002FFF1000-0x000000002FFF2000-memory.dmp

Filesize
4KB

Download
memory/3044-124-0x00000000713FD000-0x0000000071408000-memory.dmp

Filesize
44KB

Download
memory/3044-403-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download