51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a

Resubmissions

21-05-2024 10:56

240521-m1yrsaah95 10

17-05-2024 09:33

240517-lh8nlabg6x 10

17-05-2024 09:25

240517-ldlchabh35 10

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Size

1.1MB
MD5

ab8be64fd575f219a2ff48c82eeebf81
SHA1

af39348f99e58dc93a79fdb66e51f73f135a4a4b
SHA256

51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a
SHA512

4c014e1578bf1b1f9f294c204f0717f80ed8ed798ed5551cae389bdc943ded559936069f2d0cf3cc6fdf501c3a84309773463a06bc7995682068f7d1ecaf8a42
SSDEEP

24576:b6G5oq6WlY5EQJbBCt598PkfzGwWPEXyqc:bPQrJChIP1q

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

StikyNot.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTES = "C:\\Windows\\system32\\StikyNot.exe"	StikyNot.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2172 2244 WerFault.exe SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	pid_target	process	target process
2172	2244	WerFault.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exeWINWORD.EXE

pid process

2460 vlc.exe
1696 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2460 vlc.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

vlc.exeStikyNot.exe

pid	process
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2804	StikyNot.exe
2804	StikyNot.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

vlc.exe

pid	process
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe
2460	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vlc.exeWINWORD.EXE

pid process

2460 vlc.exe
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

description	pid	process	target process
PID 2244 wrote to memory of 2172	2244	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	WerFault.exe
PID 2244 wrote to memory of 2172	2244	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	WerFault.exe
PID 2244 wrote to memory of 2172	2244	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	WerFault.exe
PID 2244 wrote to memory of 2172	2244	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 716
  2⤵
  - Program crash
  PID:2172

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2372

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ApproveRepair.mpe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:536

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\UninstallGet.dotx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\system32\StikyNot.exe
"C:\Windows\system32\StikyNot.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0fb45b8640931dd3ec8ae949ced660aa

SHA1
5d26537be52c54e7619e497b64f5fac233448e62

SHA256
f765a8f847c6ab47ddfbf0fa3936da69150325e3d7772e6dbbccc788adeacad5

SHA512
e6f7c7faa92eea6d036f8476489bbe4a8a9def6d90afe079ae42ce383cc05609db35e82d39963679a8fae4cabc6144a3ec965563accbd05d523e27bfcc4563ae

Download Submit
memory/1696-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1696-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2244-0-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2460-16-0x000007FEF5B30000-0x000007FEF5B64000-memory.dmp

Filesize
208KB

Download
memory/2460-15-0x000000013FAA0000-0x000000013FB98000-memory.dmp

Filesize
992KB

Download
memory/2460-18-0x000007FEF7E30000-0x000007FEF7E48000-memory.dmp

Filesize
96KB

Download
memory/2460-23-0x000007FEF5610000-0x000007FEF562D000-memory.dmp

Filesize
116KB

Download
memory/2460-24-0x000007FEF55F0000-0x000007FEF5601000-memory.dmp

Filesize
68KB

Download
memory/2460-22-0x000007FEF5630000-0x000007FEF5641000-memory.dmp

Filesize
68KB

Download
memory/2460-21-0x000007FEF5650000-0x000007FEF5667000-memory.dmp

Filesize
92KB

Download
memory/2460-20-0x000007FEF5670000-0x000007FEF5681000-memory.dmp

Filesize
68KB

Download
memory/2460-19-0x000007FEF5690000-0x000007FEF56A7000-memory.dmp

Filesize
92KB

Download
memory/2460-17-0x000007FEF5870000-0x000007FEF5B24000-memory.dmp

Filesize
2.7MB

Download
memory/2460-25-0x000007FEF53F0000-0x000007FEF55F0000-memory.dmp

Filesize
2.0MB

Download
memory/2460-35-0x000007FEF41F0000-0x000007FEF4208000-memory.dmp

Filesize
96KB

Download
memory/2460-36-0x000007FEF41C0000-0x000007FEF41F0000-memory.dmp

Filesize
192KB

Download
memory/2460-57-0x000007FEF2F60000-0x000007FEF2FCD000-memory.dmp

Filesize
436KB

Download
memory/2460-56-0x000007FEF2FD0000-0x000007FEF3032000-memory.dmp

Filesize
392KB

Download
memory/2460-55-0x000007FEF3040000-0x000007FEF30B5000-memory.dmp

Filesize
468KB

Download
memory/2460-54-0x000007FEF30C0000-0x000007FEF3185000-memory.dmp

Filesize
788KB

Download
memory/2460-53-0x000007FEF3190000-0x000007FEF31A6000-memory.dmp

Filesize
88KB

Download
memory/2460-52-0x000007FEF31B0000-0x000007FEF31C1000-memory.dmp

Filesize
68KB

Download
memory/2460-51-0x000007FEF31D0000-0x000007FEF31FF000-memory.dmp

Filesize
188KB

Download
memory/2460-58-0x000007FEF2DE0000-0x000007FEF2F58000-memory.dmp

Filesize
1.5MB

Download
memory/2460-50-0x000007FEFB4F0000-0x000007FEFB500000-memory.dmp

Filesize
64KB

Download
memory/2460-49-0x000007FEF3200000-0x000007FEF3217000-memory.dmp

Filesize
92KB

Download
memory/2460-48-0x000007FEF3220000-0x000007FEF3231000-memory.dmp

Filesize
68KB

Download
memory/2460-47-0x000007FEF3240000-0x000007FEF3261000-memory.dmp

Filesize
132KB

Download
memory/2460-46-0x000007FEF3F70000-0x000007FEF3F82000-memory.dmp

Filesize
72KB

Download
memory/2460-45-0x000007FEF3F90000-0x000007FEF3FA1000-memory.dmp

Filesize
68KB

Download
memory/2460-44-0x000007FEF3FB0000-0x000007FEF3FD3000-memory.dmp

Filesize
140KB

Download
memory/2460-43-0x000007FEF3FE0000-0x000007FEF3FF7000-memory.dmp

Filesize
92KB

Download
memory/2460-42-0x000007FEF4000000-0x000007FEF4024000-memory.dmp

Filesize
144KB

Download
memory/2460-41-0x000007FEF4030000-0x000007FEF4058000-memory.dmp

Filesize
160KB

Download
memory/2460-40-0x000007FEF4060000-0x000007FEF40B6000-memory.dmp

Filesize
344KB

Download
memory/2460-39-0x000007FEF40C0000-0x000007FEF40D1000-memory.dmp

Filesize
68KB

Download
memory/2460-38-0x000007FEF40E0000-0x000007FEF414F000-memory.dmp

Filesize
444KB

Download
memory/2460-26-0x000007FEF4340000-0x000007FEF53EB000-memory.dmp

Filesize
16.7MB

Download
memory/2460-37-0x000007FEF4150000-0x000007FEF41B7000-memory.dmp

Filesize
412KB

Download
memory/2460-34-0x000007FEF4210000-0x000007FEF4221000-memory.dmp

Filesize
68KB

Download
memory/2460-33-0x000007FEF4230000-0x000007FEF424B000-memory.dmp

Filesize
108KB

Download
memory/2460-32-0x000007FEF4250000-0x000007FEF4261000-memory.dmp

Filesize
68KB

Download
memory/2460-31-0x000007FEF4270000-0x000007FEF4281000-memory.dmp

Filesize
68KB

Download
memory/2460-30-0x000007FEF4290000-0x000007FEF42A1000-memory.dmp

Filesize
68KB

Download
memory/2460-29-0x000007FEF42B0000-0x000007FEF42C8000-memory.dmp

Filesize
96KB

Download
memory/2460-28-0x000007FEF42D0000-0x000007FEF42F1000-memory.dmp

Filesize
132KB

Download
memory/2460-27-0x000007FEF4300000-0x000007FEF433F000-memory.dmp

Filesize
252KB

Download
memory/2460-71-0x000007FEF5B30000-0x000007FEF5B64000-memory.dmp

Filesize
208KB

Download
memory/2460-72-0x000007FEF5870000-0x000007FEF5B24000-memory.dmp

Filesize
2.7MB

Download
memory/2460-70-0x000000013FAA0000-0x000000013FB98000-memory.dmp

Filesize
992KB

Download
memory/2460-73-0x000007FEF4340000-0x000007FEF53EB000-memory.dmp

Filesize
16.7MB

Download