Analysis
-
max time kernel
119s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 13:46
Static task
static1
Behavioral task
behavioral1
Sample
PO-45728-10876.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO-45728-10876.rtf
Resource
win10v2004-20240508-en
General
-
Target
PO-45728-10876.rtf
-
Size
373KB
-
MD5
41a88833eb89e0d4d115c1a47cf80119
-
SHA1
71a35d918b6f2ae24e50cc3d7a357392ec84eda7
-
SHA256
157952d9b444d611f06393a1b2708862e8966bfa5443ca404698b07a38f8aa5d
-
SHA512
109d43dbacbf7040da3e38ca685c894a18b0a5f8257750d2d7bc6691410b82a4cae07ed60f74e021273639f3c15b268803b32863654590f30803ab2e4f300d61
-
SSDEEP
6144:VwAYwAYwAYwAYwAYwAYwAYwAYwAYwAwoXT5q1SgT:lt
Malware Config
Extracted
nanocore
1.2.2.0
psolver827.ddns.net:1974
127.0.0.1:1974
9bd2ed5f-213a-4882-91bf-95b6e3347c3e
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-26T07:38:31.398347236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1974
-
default_group
dcGEN
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9bd2ed5f-213a-4882-91bf-95b6e3347c3e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
psolver827.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2556 EQNEDT32.EXE 7 2556 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 768 powershell.exe 1664 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
bless33333.scrbless33333.scrbless33333.scrpid process 2408 bless33333.scr 1504 bless33333.scr 1848 bless33333.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2556 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bless33333.scrdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" bless33333.scr -
Processes:
bless33333.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bless33333.scr -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bless33333.scrdescription pid process target process PID 2408 set thread context of 1848 2408 bless33333.scr bless33333.scr -
Drops file in Program Files directory 2 IoCs
Processes:
bless33333.scrdescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe bless33333.scr File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe bless33333.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2844 schtasks.exe 1668 schtasks.exe 3028 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
bless33333.scrpowershell.exepowershell.exebless33333.scrpid process 2408 bless33333.scr 2408 bless33333.scr 2408 bless33333.scr 2408 bless33333.scr 2408 bless33333.scr 1664 powershell.exe 768 powershell.exe 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr 1848 bless33333.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bless33333.scrpid process 1848 bless33333.scr -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
bless33333.scrpowershell.exepowershell.exebless33333.scrdescription pid process Token: SeDebugPrivilege 2408 bless33333.scr Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1848 bless33333.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE 2964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
EQNEDT32.EXEbless33333.scrbless33333.scrWINWORD.EXEdescription pid process target process PID 2556 wrote to memory of 2408 2556 EQNEDT32.EXE bless33333.scr PID 2556 wrote to memory of 2408 2556 EQNEDT32.EXE bless33333.scr PID 2556 wrote to memory of 2408 2556 EQNEDT32.EXE bless33333.scr PID 2556 wrote to memory of 2408 2556 EQNEDT32.EXE bless33333.scr PID 2408 wrote to memory of 768 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 768 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 768 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 768 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 1664 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 1664 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 1664 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 1664 2408 bless33333.scr powershell.exe PID 2408 wrote to memory of 1668 2408 bless33333.scr schtasks.exe PID 2408 wrote to memory of 1668 2408 bless33333.scr schtasks.exe PID 2408 wrote to memory of 1668 2408 bless33333.scr schtasks.exe PID 2408 wrote to memory of 1668 2408 bless33333.scr schtasks.exe PID 2408 wrote to memory of 1504 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1504 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1504 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1504 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 2408 wrote to memory of 1848 2408 bless33333.scr bless33333.scr PID 1848 wrote to memory of 3028 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 3028 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 3028 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 3028 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 2844 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 2844 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 2844 1848 bless33333.scr schtasks.exe PID 1848 wrote to memory of 2844 1848 bless33333.scr schtasks.exe PID 2964 wrote to memory of 2240 2964 WINWORD.EXE splwow64.exe PID 2964 wrote to memory of 2240 2964 WINWORD.EXE splwow64.exe PID 2964 wrote to memory of 2240 2964 WINWORD.EXE splwow64.exe PID 2964 wrote to memory of 2240 2964 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-45728-10876.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2240
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WyYsjgJBJvIP.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WyYsjgJBJvIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A6F.tmp"3⤵
- Creates scheduled task(s)
PID:1668 -
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Executes dropped EXE
PID:1504 -
C:\Users\Admin\AppData\Roaming\bless33333.scr"C:\Users\Admin\AppData\Roaming\bless33333.scr"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp"4⤵
- Creates scheduled task(s)
PID:3028 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5C35.tmp"4⤵
- Creates scheduled task(s)
PID:2844
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Scheduled Task/Job
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5A6F.tmpFilesize
1KB
MD5eb3137ddf1f1a996848c11e91755f051
SHA18295b8e779d732544215d026e792e3c2dd6c6372
SHA2564824db1605c62755129b093df75a69ff8fa65aa9584386628bf94ab4172d89b1
SHA512a69e4792f577b82291927255ced65608297be14c3ed8063517d49ec37fc95d1ebb37c4ae537bdc683d3d12f886e04e4f9abbb9a42aae739512a4d9c1fc006315
-
C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmpFilesize
1KB
MD5f188884cbb66b6bb84e6f64695df9e08
SHA1a4c35ff4d85b798a000a87c426f7d4fb0ab69f31
SHA256bdddeb02adbd7c3cfc9574b4ca85503bdc62099114dad04db69143a2d46444f9
SHA512f09731604045f1cd6c7538f6ecdf085b9fe6049f6e05b32b2ae2569dcf00463d328970c944fd59feb3359af1123534dea58ad23b55e51deef3a9e646aeb522c4
-
C:\Users\Admin\AppData\Local\Temp\tmp5C35.tmpFilesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15
-
C:\Users\Admin\AppData\Roaming\bless33333.scrFilesize
703KB
MD522594e7b70f9742f9a523114c301a6bb
SHA1e4a9141ed6a1bce9bd1145b634f54553f7eac4e2
SHA256007977b403d4c8ba9d80b07d25163b358be63edac626d3f0b88f576e5468f7d5
SHA5128817f74c356362c1e2529f94884b1397a20365e7de9147a4a2e85b2442eaa417eeca9aebf895fe3f1ddb63a0b70378428dd30c6223a0f3a099e3feb2f918f0bd
-
memory/1848-80-0x0000000000980000-0x0000000000992000-memory.dmpFilesize
72KB
-
memory/1848-72-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1848-88-0x00000000043F0000-0x0000000004404000-memory.dmpFilesize
80KB
-
memory/1848-87-0x00000000043C0000-0x00000000043EE000-memory.dmpFilesize
184KB
-
memory/1848-86-0x00000000021F0000-0x00000000021FE000-memory.dmpFilesize
56KB
-
memory/1848-85-0x00000000021E0000-0x00000000021F4000-memory.dmpFilesize
80KB
-
memory/1848-84-0x00000000021D0000-0x00000000021E0000-memory.dmpFilesize
64KB
-
memory/1848-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1848-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-53-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-51-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1848-83-0x0000000002180000-0x0000000002194000-memory.dmpFilesize
80KB
-
memory/1848-82-0x00000000020F0000-0x00000000020FC000-memory.dmpFilesize
48KB
-
memory/1848-81-0x00000000020E0000-0x00000000020EE000-memory.dmpFilesize
56KB
-
memory/1848-73-0x0000000000440000-0x000000000045E000-memory.dmpFilesize
120KB
-
memory/1848-74-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/1848-77-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/1848-78-0x00000000007A0000-0x00000000007BA000-memory.dmpFilesize
104KB
-
memory/1848-79-0x00000000007C0000-0x00000000007CE000-memory.dmpFilesize
56KB
-
memory/2408-31-0x0000000000170000-0x0000000000222000-memory.dmpFilesize
712KB
-
memory/2408-29-0x000000006B9AE000-0x000000006B9AF000-memory.dmpFilesize
4KB
-
memory/2408-39-0x0000000005E40000-0x0000000005EBA000-memory.dmpFilesize
488KB
-
memory/2408-38-0x00000000004B0000-0x00000000004C0000-memory.dmpFilesize
64KB
-
memory/2408-37-0x0000000000550000-0x000000000055C000-memory.dmpFilesize
48KB
-
memory/2408-36-0x0000000000780000-0x00000000007A2000-memory.dmpFilesize
136KB
-
memory/2964-0-0x000000002FD41000-0x000000002FD42000-memory.dmpFilesize
4KB
-
memory/2964-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2964-2-0x000000007189D000-0x00000000718A8000-memory.dmpFilesize
44KB
-
memory/2964-90-0x000000007189D000-0x00000000718A8000-memory.dmpFilesize
44KB