remcos | 114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order2354.xls
Size

654KB
MD5

0ea2f1e95f1c8a1917bb34a722cf78e8
SHA1

4721806e7503fcb6a630697bc348e53074a22fa2
SHA256

114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7
SHA512

9a5b836d188bf1bc8f210560492475017f2f23577a708acd82af3f0ada2446690653e4e08c1f0908306aaabd5a53f741f8987ed76bcbc00f4786784c6f5d9de8
SSDEEP

12288:/kTCQ5HK3hrUP/qPQZR8MxAm/S/xQE1A73DbFWgc4zkiVhPkLyH8gq1N:OCQ5HKRrUP/mMxCaE1GFWgJkChkqPK

Score

10^/10

remcos execution rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	988	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
412	powershell.exe
2388	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2488	vnc.exe
1216	vnc.exe

Loads dropped DLL 8 IoCs

pid	Process
988	EQNEDT32.EXE
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 1216	2488	vnc.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	1216	WerFault.exe	40

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1896	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
988	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2004	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
412	powershell.exe
2388	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2004	EXCEL.EXE
2004	EXCEL.EXE
2004	EXCEL.EXE
2004	EXCEL.EXE
2004	EXCEL.EXE
2560	WINWORD.EXE
2560	WINWORD.EXE
2004	EXCEL.EXE
2004	EXCEL.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2488	988	EQNEDT32.EXE	31
PID 988 wrote to memory of 2488	988	EQNEDT32.EXE	31
PID 988 wrote to memory of 2488	988	EQNEDT32.EXE	31
PID 988 wrote to memory of 2488	988	EQNEDT32.EXE	31
PID 2560 wrote to memory of 2052	2560	WINWORD.EXE	32
PID 2560 wrote to memory of 2052	2560	WINWORD.EXE	32
PID 2560 wrote to memory of 2052	2560	WINWORD.EXE	32
PID 2560 wrote to memory of 2052	2560	WINWORD.EXE	32
PID 2488 wrote to memory of 412	2488	vnc.exe	34
PID 2488 wrote to memory of 412	2488	vnc.exe	34
PID 2488 wrote to memory of 412	2488	vnc.exe	34
PID 2488 wrote to memory of 412	2488	vnc.exe	34
PID 2488 wrote to memory of 2388	2488	vnc.exe	36
PID 2488 wrote to memory of 2388	2488	vnc.exe	36
PID 2488 wrote to memory of 2388	2488	vnc.exe	36
PID 2488 wrote to memory of 2388	2488	vnc.exe	36
PID 2488 wrote to memory of 1896	2488	vnc.exe	37
PID 2488 wrote to memory of 1896	2488	vnc.exe	37
PID 2488 wrote to memory of 1896	2488	vnc.exe	37
PID 2488 wrote to memory of 1896	2488	vnc.exe	37
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 2488 wrote to memory of 1216	2488	vnc.exe	40
PID 1216 wrote to memory of 2352	1216	vnc.exe	41
PID 1216 wrote to memory of 2352	1216	vnc.exe	41
PID 1216 wrote to memory of 2352	1216	vnc.exe	41
PID 1216 wrote to memory of 2352	1216	vnc.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order2354.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2052

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Roaming\vnc.exe
  "C:\Users\Admin\AppData\Roaming\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jGiHPUkzfFmtq.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jGiHPUkzfFmtq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EFD.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1896
- - C:\Users\Admin\AppData\Roaming\vnc.exe
    "C:\Users\Admin\AppData\Roaming\vnc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 200
      4⤵
      Loads dropped DLL
      Program crash
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e911d5250fd2c67530801b2c146e56ad

SHA1
c5452baaee6e85d4129c0f35f5d4182fa3b225f8

SHA256
c27edf2fc78bb8ea82d5bca8f2aa9a6ba9a7a62f8e75c9f1af92dec7bfcb229d

SHA512
0eb3e6a4bffe7eca9f3c62e89c71f92b2e4527cd240cfd0743a5abf492e44f7c22128c402c02b34177f34ae83f06fa24cf22fbabab58ecc4fc4935e342f56b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5fd2cde1dd0ff55b448c1a19f03475c3

SHA1
704188b528b2933db2b974947021315897fc1bbc

SHA256
2f07dec57fbc688cfb77b5c959261496911da9bcced2c12e4c5ed494720e6dae

SHA512
bde96a0e987791f1d441b46a0f9fb97dc41b62c9e71c5f13c4bd7a0bbb2821072720147ed61733b2027b151acfc8ea03d3fe296bfe40f135773dc7bbd4a9ef80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53cc5ac90a595cefb61b14011e01eeed

SHA1
d50ce46c4d4aafdf1e450875502c7469cbca0edb

SHA256
36d536c42fce94a89e0e74d0870ee511c189b1b5963e98cf9de37d19c0a94e05

SHA512
d4afcd1d126b8ef145790c2ae23d4c61381d04b2de213dc140f6e6bcf30cad6100df91577a17177d6eb3024e44ded03132c95c96fdb06f8fe502ab7840bd03db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
08382a2e54147a15b94d7ba0db7f32ab

SHA1
8842ea874cdd26e775c96815fe96267b5d0259b6

SHA256
a88264cd8124286639250e56617e992f81da7ef1d58577f69edd3b21f11d1bff

SHA512
e65630ddb073d38ef87157a9a2a2206250c45a25c0629059beac83aadb8c85a055779bd950cc3e099b4591463d21e33a0805900bcf97703398e16ec97a826813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5F65277B-6858-4EFE-96F8-D4A4EAB12C9A}.FSD

Filesize
128KB

MD5
2c029bb0d3ef268d92b158845e0bc5bd

SHA1
a8a32616548f051e36be47d41525c4029cfd74c8

SHA256
3d9d53dec1423b7d726b1440cd60796227868f3202023193368424b669d73722

SHA512
f7afe965cf96055561b98558a2f00211a5886177baf47a8034f1999f8b2fe6ecc954fbd4983dfc4f5b1aa8637267af6dc94627d816e027798ad88f5ce506f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
8839e71935289361f9c19714e6ae7613

SHA1
5ce1f420e40ebee10f9c416d79db6b9bf07fc704

SHA256
f084848825e4a926a5d1801ec380b25327f427de9865e99b7b3f3f4ac1215c48

SHA512
d7cffd6f28cec1ad593ea25032156d6a6aa8b1d8d49665fd7bfd9319c9cc64258a8ffa8c652b874bbca720bd03e70772cf421f437ea9871e3c693dcac5238899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0F78C702-CB7C-42BD-8812-A8D97721FBF9}.FSD

Filesize
128KB

MD5
99e2152982fec8e94b29f10c4e4ffbd8

SHA1
138b15dc3200c99a4223df95c478c4b39cd95bb8

SHA256
18964feb7e8f652bbedeb6b07a7dc6d0112141e714ab67600d28186f1524511f

SHA512
a371db6a6d75f53f482c4e3f76c077a82a25618640c72a72d0a80f1f736bcde6c2585a044e9f97258c71da04ed8d1cc21221e3c5f94820bf6791e297e9e693ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\beautifulroseflowerwanttogetinhandbecauseitsgreatthingshandbeautiuflthingshappenedtogetback___beautiuflflowers[1].doc

Filesize
63KB

MD5
7a7b11bbe3d337c74805c519c22601c0

SHA1
4b680f33a5d1f26934429bb7dff11b8b3f6ea0f8

SHA256
3f6bd3440b27d64b41ff2902d7b35c1105b7dc026e834755a1b44f63b5da965e

SHA512
c637d681ff8f7e00c74291bf38835ada5d4c074d62f9d5a12ceed7b4ec540f21e05dc89469664af08d7a68040e5d0646e1f13669ddec965812ce9eeb78975302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EA5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EFD.tmp

Filesize
1KB

MD5
e5319a32aae07ca11a0077f066d8b62f

SHA1
feba6e6aef0cc374a91cf357f86eaca5ca6cec95

SHA256
43677b14c2d988affbec9e24d0e5e621eccf94acd45a0a35dbfcb2294b81f2bb

SHA512
a2ad26cbb68c182855049aa15d091cfdef72bb5c581e881c3e779ff0fe70b230ab07c09ea614814e8009b282babd950d7d5c51c51440ee097e40c6ef7eb8a549

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91E2AC18-CBB6-42CD-B9E1-D9742542C767}

Filesize
128KB

MD5
71a0b8e5441eae4eab67fbae8da01627

SHA1
ea9e1ef8a5cac257e428f3d1506dafac04a86da7

SHA256
c1f1db77a7f3b01bd2a9331398b589b1aeafc7411850e21d8f9711adbfa1dae6

SHA512
8b9e6194fc0bfafa95685b7eb8f5eab7147c7359f8c4cc47d2fe1fad8761ab835cff6b46e0c9dce3797d9524224d4479f6f9ed489ad6aac5191137316a213c16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MULTGHKV.txt

Filesize
69B

MD5
e7a094b9a5d25c3ebb746e3da142148e

SHA1
881097247ec6c6704d5040a6949993cf7a14b14d

SHA256
c47f7a91a979ae9e7579f601c1bc42504d742af5be38d0881df1c9ca1b4d1e02

SHA512
6fecc7d7d1a80ec6f52a40bb406b184c1c7b13c606ac55ce58bfae52dff5ff8746eedf13c6c4bc7ec5e6c150c16f01d01e5fa5f68aa2ee534b9bfcc821900e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IC6WS40XJI6KD2SRJ0MA.temp

Filesize
7KB

MD5
51b23f06935960a2ea654fff60a14638

SHA1
9a28e3b6ba62808d5ef80ccfb05634821eab0f81

SHA256
92c2ca18872970710e0c8027aa7bef94100b2d17b4e8f6b3f7fadfef9ce741d2

SHA512
3dcb757ed91d290990c7fda6ad44f60e513ba61701169209e561a993de01a95ca67c810256ded67fe274d1020a9f4a2e84eb8a7763eec8956bb92de78a53d2d4

Download Submit
C:\Users\Admin\AppData\Roaming\vnc.exe

Filesize
978KB

MD5
1299c227f71353022f7ed366f9efb219

SHA1
b8437949812bd190d66b656cdf99625243e0740f

SHA256
b2ae69e681c120901c4f5f839125d81b53eabd3f22c0a50547604c15d43a33f3

SHA512
0e5276521830eab912247cead3adb5465cd2ad9fdb784999f189c8c854c541f6a671a3bfdce7880fd6c7b4e232c22cb57cfb288a3c71957ee858f1c354c5e26d

Download Submit
memory/1216-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1216-164-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2004-1-0x00000000723FD000-0x0000000072408000-memory.dmp

Filesize
44KB

Download
memory/2004-129-0x00000000723FD000-0x0000000072408000-memory.dmp

Filesize
44KB

Download
memory/2004-25-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/2004-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2488-132-0x00000000051F0000-0x00000000052B0000-memory.dmp

Filesize
768KB

Download
memory/2488-131-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2488-130-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2488-128-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/2488-126-0x0000000000890000-0x000000000098A000-memory.dmp

Filesize
1000KB

Download
memory/2560-24-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/2560-20-0x000000002FA71000-0x000000002FA72000-memory.dmp

Filesize
4KB

Download
memory/2560-22-0x00000000723FD000-0x0000000072408000-memory.dmp

Filesize
44KB

Download
memory/2560-172-0x00000000723FD000-0x0000000072408000-memory.dmp

Filesize
44KB

Download