Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe
Resource
win10v2004-20240426-en
General
-
Target
52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe
-
Size
97KB
-
MD5
480412c2c0d22dc5b03edcfe75dc1b5c
-
SHA1
5e476973313e9fbeab892d3d6101093f3b42bf1a
-
SHA256
52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53
-
SHA512
33e4f2e9c74a26cde8301063e370d5bec63f844037b01b382ab87a668c77262c5471103f48083aee72401e2fd752ab10f87040457c7ff0b1f0b30786a5e3273a
-
SSDEEP
1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIn:J8dfX7y9DZ+N7eB+tIn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Executes dropped EXE 12 IoCs
pid Process 4820 SVCHOST.EXE 3076 SVCHOST.EXE 408 SVCHOST.EXE 1364 SVCHOST.EXE 3060 SVCHOST.EXE 2984 SPOOLSV.EXE 4608 SVCHOST.EXE 3660 SVCHOST.EXE 4840 SPOOLSV.EXE 2852 SPOOLSV.EXE 640 SVCHOST.EXE 1788 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened for modification F:\Recycled\desktop.ini 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\S: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\V: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\M: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\I: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\U: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\W: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\N: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\O: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\P: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\R: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\H: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\L: 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2164 WINWORD.EXE 2164 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 408 SVCHOST.EXE 408 SVCHOST.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 2984 SPOOLSV.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 4820 SVCHOST.EXE 408 SVCHOST.EXE 408 SVCHOST.EXE 408 SVCHOST.EXE 408 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 4820 SVCHOST.EXE 3076 SVCHOST.EXE 408 SVCHOST.EXE 1364 SVCHOST.EXE 3060 SVCHOST.EXE 2984 SPOOLSV.EXE 4608 SVCHOST.EXE 3660 SVCHOST.EXE 4840 SPOOLSV.EXE 2852 SPOOLSV.EXE 640 SVCHOST.EXE 1788 SPOOLSV.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4736 wrote to memory of 4820 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 83 PID 4736 wrote to memory of 4820 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 83 PID 4736 wrote to memory of 4820 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 83 PID 4820 wrote to memory of 3076 4820 SVCHOST.EXE 84 PID 4820 wrote to memory of 3076 4820 SVCHOST.EXE 84 PID 4820 wrote to memory of 3076 4820 SVCHOST.EXE 84 PID 4820 wrote to memory of 408 4820 SVCHOST.EXE 85 PID 4820 wrote to memory of 408 4820 SVCHOST.EXE 85 PID 4820 wrote to memory of 408 4820 SVCHOST.EXE 85 PID 408 wrote to memory of 1364 408 SVCHOST.EXE 86 PID 408 wrote to memory of 1364 408 SVCHOST.EXE 86 PID 408 wrote to memory of 1364 408 SVCHOST.EXE 86 PID 408 wrote to memory of 3060 408 SVCHOST.EXE 87 PID 408 wrote to memory of 3060 408 SVCHOST.EXE 87 PID 408 wrote to memory of 3060 408 SVCHOST.EXE 87 PID 408 wrote to memory of 2984 408 SVCHOST.EXE 88 PID 408 wrote to memory of 2984 408 SVCHOST.EXE 88 PID 408 wrote to memory of 2984 408 SVCHOST.EXE 88 PID 2984 wrote to memory of 4608 2984 SPOOLSV.EXE 89 PID 2984 wrote to memory of 4608 2984 SPOOLSV.EXE 89 PID 2984 wrote to memory of 4608 2984 SPOOLSV.EXE 89 PID 2984 wrote to memory of 3660 2984 SPOOLSV.EXE 90 PID 2984 wrote to memory of 3660 2984 SPOOLSV.EXE 90 PID 2984 wrote to memory of 3660 2984 SPOOLSV.EXE 90 PID 2984 wrote to memory of 4840 2984 SPOOLSV.EXE 92 PID 2984 wrote to memory of 4840 2984 SPOOLSV.EXE 92 PID 2984 wrote to memory of 4840 2984 SPOOLSV.EXE 92 PID 4820 wrote to memory of 2852 4820 SVCHOST.EXE 93 PID 4820 wrote to memory of 2852 4820 SVCHOST.EXE 93 PID 4820 wrote to memory of 2852 4820 SVCHOST.EXE 93 PID 4736 wrote to memory of 640 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 94 PID 4736 wrote to memory of 640 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 94 PID 4736 wrote to memory of 640 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 94 PID 4736 wrote to memory of 1788 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 95 PID 4736 wrote to memory of 1788 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 95 PID 4736 wrote to memory of 1788 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 95 PID 4736 wrote to memory of 2164 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 98 PID 4736 wrote to memory of 2164 4736 52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe"C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3076
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3660
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4840
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:640
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e5fdf142d8ddafee37c1fa80037352e9
SHA137dc22874eb028f40da4768577f024110c3cae1f
SHA256ae41c66c96936b0acced6453e2399e1b2725a6760d366f5eced8b8820455b87e
SHA512c7f633832ea9c865ebc526e74aed4bf772db3fc837ba1e4ad01a74ec5a73f8b0f2f09885fdd998e0df08a344f80342033bfdc7bc254ab997f3113aa8f928a7c3
-
Filesize
97KB
MD559d59302cf8640ab857da831a7fd21cf
SHA1521019006d02653ce25b76504dc94034615712d9
SHA25634a40f3b5cecf9c4142f8134004809cec1c583d9a31555377a6f2bfbb703c115
SHA512da033e1107532276476d629761a9489e293c773404ec3d41a23acd912ec0aedaae28673fa8771fb2fd172a01fb70bd7caa2705f9b8ab913e6e7b92ace2b0c699
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
97KB
MD55fbef1174710f43a49243acae9c6d3bc
SHA1ea2b7970957dace4a3bac5b4915e17fc75f38d99
SHA256c831987fd2f9b6a86207ec40df83e25c0a06613eb5e7cc32bdcced3c03aceb92
SHA51208e91b92e446674e80fc672092ef16d7aecb39169a34d19d34e4590ff15a9ef52c8e93bff49bcf3067e506f5d3f9e4bfbcdc3d574ccba6171c32265f9acaac34
-
Filesize
97KB
MD521fe872f7ed03747be54e6c9178c052a
SHA122225eb7d2f496b8aba2310988bf1ce795503069
SHA2565668af258d5706397e4b07755f3b32dfd25de91faa26639e91f4995875e86ceb
SHA5127e2d1d1425660bf5425cc8beeb6b9d7bac76f79b0cbb5baf6d660d7240e049fb1dec22ddc833965f5bbd466eb53efacee5419f0e3d18cd8a6366084ec743c539
-
Filesize
97KB
MD5837c626e71aef5e6f5b7191fab99666b
SHA19512164505bdbc9653b1f90b7a47e860ad564649
SHA2569d4e4b12c8c937657006f8113c0f2482c426b8858639a2750de1571d1942dcff
SHA512df4e386e063207f8e026c780ec31283e43d919626ccfc7b51019e84f8c4d4804eb836085586f65618efb0d151a4d80536c0b671c2d8e27a4e723c031a4c97036
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
97KB
MD5ee362dfbf53fd7cafa105035107d85f4
SHA1153a334e6e630c0cb25276fd2c6ddc55f9c575b6
SHA2562ff67a1a9e0f616b44f359f3f134c7fa740c64cf874458c73ee8facb2f2be2ca
SHA512c5a4bc2afcb961559c979b24f446ad3ceff6dfab8820c5827c46a22f0ee2c5e477206e3d7ac0b96c0af2e8c15f4e80322c037fea3626d760bb447f92f39f8efd