eeb97416a6987dbad5d81f89db04f68d73322efdaa7ad6b03e35b1f4ad753486

Analysis

max time kernel
36s
max time network
44s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 14:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cheeto.zip
Size

984KB
MD5

a0087bde1ef6654c982fdc0c21abdfba
SHA1

bdb495c4568fcb596ba7431c0b0c4357e3e49bbd
SHA256

eeb97416a6987dbad5d81f89db04f68d73322efdaa7ad6b03e35b1f4ad753486
SHA512

35b858343a9d880c1b966933156feda04218763fe3444a761172e7968c2f0146c771e3159828ce8198aa082d8fc3b47d049aba3120e85d004a72afd3e1eac3f5
SSDEEP

24576:BSJDtNWydbGyr+bi5u5NYzK4O2WIWVkSoDoN:BSJBNWyxGyybi5u5+zK4/WEDoN

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	chrome.exe
660	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe
Token: SeShutdownPrivilege	660	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe
660	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	WINWORD.EXE
2792	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2632	2792	WINWORD.EXE	32
PID 2792 wrote to memory of 2632	2792	WINWORD.EXE	32
PID 2792 wrote to memory of 2632	2792	WINWORD.EXE	32
PID 2792 wrote to memory of 2632	2792	WINWORD.EXE	32
PID 660 wrote to memory of 2552	660	chrome.exe	37
PID 660 wrote to memory of 2552	660	chrome.exe	37
PID 660 wrote to memory of 2552	660	chrome.exe	37
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 2196	660	chrome.exe	39
PID 660 wrote to memory of 1368	660	chrome.exe	40
PID 660 wrote to memory of 1368	660	chrome.exe	40
PID 660 wrote to memory of 1368	660	chrome.exe	40
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41
PID 660 wrote to memory of 1660	660	chrome.exe	41

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cheeto.zip
1⤵
PID:2872

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4d19758,0x7fef4d19768,0x7fef4d19778
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:2
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1152 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3588 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3500 --field-trial-handle=1372,i,6329284333716484202,13116838302528733840,131072 /prefetch:1
  2⤵
  PID:1492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c0759196-c725-4b87-95a6-6848271df39e.tmp

Filesize
271KB

MD5
b7c94baa2459185f8928a28c3027ef50

SHA1
8128f8b7130719e1e930f9554371cce289d79e67

SHA256
7b7f385efdcd045607189a4f796235bf1a2e6a4518da4ae83640df51b03fcb3a

SHA512
429b1202f76d5620ce74df49179b2dc43ce929158a7f24d1ef4bbcfb359ae670a3c44dffbd4d5319096a1c8b0ea8964663c32f34a59a924de62c1feba7b3d1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9921432d5f6a0de61021ff5746d6696d

SHA1
e411f140aa8a8439f25be012e59ad3fc999ca13b

SHA256
d1809602d4cb4de862bbd58cffdb99ff6f374e53eedf01c8f3c280d59266cbe0

SHA512
180c243c830633147a58d059928f435c16d582825c39f2ac93ada44ef0139f7d641a9cb11f461e323cd82bc7a7bacb233b47fb71f01c5dec7e223625b76692e6

Download Submit
C:\Users\Admin\Desktop\ApproveRepair.xsl

Filesize
636KB

MD5
87cb8508df1d5b7b973726b389a7419d

SHA1
7fdd9bb770ed27426d4535430e83ee38dad5fb5b

SHA256
83a171a0a2e0950360fb4b2f4988dc835567e1fd7bd56bc38c3192a8bc8112f1

SHA512
4011f83e1631e8f554c54023823f7fa1369636ab1b1cda0d1a2c3b78de31ab2da27f80f5f1b90d6627789cd5d878535b8b8dd080d37742cf5d1b59d87c9aaf14

Download Submit
C:\Users\Admin\Desktop\ClearApprove.ps1

Filesize
281KB

MD5
a903daf526aaa8d41e24babe1e2e05d4

SHA1
7e894cd8127acc49872663dec399c10c50ff52a1

SHA256
0efeb8e598d89715141b760bb68c7f0862f5684b127067ad08707632a50e6c46

SHA512
00918065fce89459beaf1d8a226e93f2ff7d5cd1d0032c8f353f825d55c4af38ecb361661406e04f4e91d8b8c5512bba22d8995c27cfb45f9e839593fa250567

Download Submit
C:\Users\Admin\Desktop\FindRename.M2T

Filesize
192KB

MD5
9cc8033d68b54d9880615576da19c1fd

SHA1
c9217b93031acbf56e25eebab8d92c7c56ec4428

SHA256
e23cd39c4a9764783e822d83d707206a85034b4b3d74330be9f5e1a6632fd435

SHA512
2b3729a0a9679ebbd0c399ed27dc9329f2cde4892161fbac85036be5e355e2f59ed97d417208187c1fb9552945c3e4af5bb4bacf6d89c40a3066c7f61df93b4d

Download Submit
C:\Users\Admin\Desktop\MeasureProtect.mpeg3

Filesize
459KB

MD5
3ba0e01e5f1ba5f1ca580c7338b79ffc

SHA1
96eeb99b2b2c6de0d5f8cc0079f1263977a6180a

SHA256
a09bb37604a37c343643da8e4d4c1df3661454c28b4e4e122e28003022320242

SHA512
13f35bbccafc63b4fda34ffe0901451409189056c8ad1eb7d1577354c314bc93c4483979ecc2e496cc48d90b580fcc7f52489f6104ada95a5d834a8382c0f1f0

Download Submit
C:\Users\Admin\Desktop\RepairImport.ram

Filesize
385KB

MD5
f19cda0db8ca16cc9941f035132d275c

SHA1
75800417701d4e48947c07b868de5e453832e3e9

SHA256
9d31a04338bc9a5cf6adb23ec382431beec56df00b8d721901fa996a67aa33c4

SHA512
3fb307dd061ce3685b0e676133ca086967a9c0b8fe032535f9f89c91be78b797d44d7fe13df8cac290b5f9287f75e0c507f99a3d0172b06cb4f0de3f5829de42

Download Submit
C:\Users\Admin\Desktop\RestoreInstall.reg

Filesize
370KB

MD5
9b231c5a37f5c1431f9c82d84099ad5b

SHA1
5f481d98b33f092891d6cd41734329d988f56b52

SHA256
868933904ed19bb5896322b855d068f64add18d42d9b8cc7bcb3e15510167d69

SHA512
d9748b731224927fd889d635008b65fe6cc9b470efb2bdf9d2f8283d20a2827fdad8f182cd088d83b7e6ffa546a618ce778c95a840a84397fb1f3afeccf1019f

Download Submit
C:\Users\Admin\Desktop\SelectRemove.ico

Filesize
296KB

MD5
8df278befdebbd81ef7e281b4907fef0

SHA1
9b4f76404ed78fc5c101ea4209123476634286ca

SHA256
43862224617f74fe8bf63399e4c8125e8935a12bef88a348ad31226641376b79

SHA512
0ef96e7d16d3d95b1c1dea1865c0cb5af9a563cf3c71dfbc1691e57c652c5baf47432c86f41f495c1c33b9624e58a188cc297f8a05fbff1152364fb40ae94ca6

Download Submit
C:\Users\Admin\Desktop\SendUnblock.jpg

Filesize
207KB

MD5
f734af260c6fce19f5276a70625644fc

SHA1
d88fea44052e9267c69b211c346cfa5b102d4314

SHA256
d124cc8825f8d54d5afdecfe5d8e28b0bd0e866666f0f109438e03ae14ca0275

SHA512
edf67bf3731682b19ccf4b0aacf28737c9677b1e8b2584e154d30acdb4c073eef4ef68f761418955ca0d0f4e3495057cd593203f3c57f5f7d9de5bad996a181f

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
637813cd9d30686e7ddc6fd24845ef15

SHA1
24bfb05031e8586888d655e6df1affc4d100fece

SHA256
93055381eb43b8833da2db109ad989a1ec9448124e90458222d38f80d4ee3a4d

SHA512
da19c3b1c035bb78213c512f402696e22f6200580c22aca0a54260163bf8daf89295ed96301381ecfa269c235f73926cecb138c9607d091f4e23daeb95feea20

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
931B

MD5
177e07f5928cb18316b05d0a8b2ac19f

SHA1
4cafe8b90651bb3218c723d5b96b80c5c50a4c88

SHA256
3aedc17feb13d1ee34f83bb7f624929dcd160271db5368e1bd021c238fd1b2c4

SHA512
784f262fd66af5eb4b4e5f2eaf2183d103b993d8d90dee127788ad0af0fa351e772d15e0b1857bfa79badc1e5053ac679a2e9ae04db0c69c99ddc53d8037bdd2

Download Submit
memory/2792-39-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2792-0-0x000000002FAD1000-0x000000002FAD2000-memory.dmp

Filesize
4KB

Download
memory/2792-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-2-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2792-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download