Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe
Resource
win10v2004-20240426-en
General
-
Target
fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe
-
Size
89KB
-
MD5
4dd695aa2695ec57cd9998536790b010
-
SHA1
03a04922b652da53fa3fbdfd4588922b1896b2d4
-
SHA256
fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c
-
SHA512
1ac4b7f217d5aef7d946a488c3e547b097ed9f54ed1025c015853e47c9c8ad8a96fda821701c09914a49a02adb7ffc4461dc14817cc7ee9942ee134d5e313cfd
-
SSDEEP
1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnV:BDeb4T0daHy9DZc86yGUtnV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe -
Detects executables packed with ASPack 23 IoCs
resource yara_rule behavioral2/memory/4244-0-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000100000000002c-9.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023468-16.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/2792-17-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2788-26-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2028-30-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3576-36-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3576-41-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/5100-43-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023469-45.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/2232-48-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/5100-50-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1192-57-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2024-58-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2024-64-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4780-65-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4780-66-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3104-68-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3104-71-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3028-75-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3028-77-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1264-80-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4244-81-0x0000000000400000-0x000000000041A000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe -
Executes dropped EXE 12 IoCs
pid Process 2792 SVCHOST.EXE 2788 SVCHOST.EXE 2028 SVCHOST.EXE 3576 SVCHOST.EXE 5100 SVCHOST.EXE 2232 SPOOLSV.EXE 1192 SVCHOST.EXE 2024 SVCHOST.EXE 4780 SPOOLSV.EXE 3104 SPOOLSV.EXE 3028 SVCHOST.EXE 1264 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened for modification F:\Recycled\desktop.ini fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\T: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\Z: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\I: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\K: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\L: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\Q: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\R: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\G: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\J: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\Y: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\X: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\N: fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings Explorer.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1620 WINWORD.EXE 1620 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2232 SPOOLSV.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2028 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 2792 SVCHOST.EXE 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 2792 SVCHOST.EXE 2788 SVCHOST.EXE 2028 SVCHOST.EXE 3576 SVCHOST.EXE 5100 SVCHOST.EXE 2232 SPOOLSV.EXE 1192 SVCHOST.EXE 2024 SVCHOST.EXE 4780 SPOOLSV.EXE 3104 SPOOLSV.EXE 3028 SVCHOST.EXE 1264 SPOOLSV.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2792 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 83 PID 4244 wrote to memory of 2792 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 83 PID 4244 wrote to memory of 2792 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 83 PID 2792 wrote to memory of 2788 2792 SVCHOST.EXE 84 PID 2792 wrote to memory of 2788 2792 SVCHOST.EXE 84 PID 2792 wrote to memory of 2788 2792 SVCHOST.EXE 84 PID 2792 wrote to memory of 2028 2792 SVCHOST.EXE 86 PID 2792 wrote to memory of 2028 2792 SVCHOST.EXE 86 PID 2792 wrote to memory of 2028 2792 SVCHOST.EXE 86 PID 2028 wrote to memory of 3576 2028 SVCHOST.EXE 87 PID 2028 wrote to memory of 3576 2028 SVCHOST.EXE 87 PID 2028 wrote to memory of 3576 2028 SVCHOST.EXE 87 PID 2028 wrote to memory of 5100 2028 SVCHOST.EXE 89 PID 2028 wrote to memory of 5100 2028 SVCHOST.EXE 89 PID 2028 wrote to memory of 5100 2028 SVCHOST.EXE 89 PID 2028 wrote to memory of 2232 2028 SVCHOST.EXE 90 PID 2028 wrote to memory of 2232 2028 SVCHOST.EXE 90 PID 2028 wrote to memory of 2232 2028 SVCHOST.EXE 90 PID 2232 wrote to memory of 1192 2232 SPOOLSV.EXE 91 PID 2232 wrote to memory of 1192 2232 SPOOLSV.EXE 91 PID 2232 wrote to memory of 1192 2232 SPOOLSV.EXE 91 PID 2232 wrote to memory of 2024 2232 SPOOLSV.EXE 92 PID 2232 wrote to memory of 2024 2232 SPOOLSV.EXE 92 PID 2232 wrote to memory of 2024 2232 SPOOLSV.EXE 92 PID 2232 wrote to memory of 4780 2232 SPOOLSV.EXE 93 PID 2232 wrote to memory of 4780 2232 SPOOLSV.EXE 93 PID 2232 wrote to memory of 4780 2232 SPOOLSV.EXE 93 PID 2792 wrote to memory of 3104 2792 SVCHOST.EXE 94 PID 2792 wrote to memory of 3104 2792 SVCHOST.EXE 94 PID 2792 wrote to memory of 3104 2792 SVCHOST.EXE 94 PID 4244 wrote to memory of 3028 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 95 PID 4244 wrote to memory of 3028 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 95 PID 4244 wrote to memory of 3028 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 95 PID 4244 wrote to memory of 1264 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 97 PID 4244 wrote to memory of 1264 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 97 PID 4244 wrote to memory of 1264 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 97 PID 2792 wrote to memory of 4940 2792 SVCHOST.EXE 96 PID 2792 wrote to memory of 4940 2792 SVCHOST.EXE 96 PID 2792 wrote to memory of 4940 2792 SVCHOST.EXE 96 PID 4940 wrote to memory of 1104 4940 userinit.exe 98 PID 4940 wrote to memory of 1104 4940 userinit.exe 98 PID 4244 wrote to memory of 1620 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 99 PID 4244 wrote to memory of 1620 4244 fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3576
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3104
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE4⤵
- Modifies registry class
PID:1104
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5ced0ce2a797c70ecda4d6ef101831fdd
SHA10f8d92e4e7d9ed454c9913050c5523094cb6574b
SHA25689de7d4bb5ac99754f1f4ec44505773d0939ae8d1bb03d1dda81fc52af6b2102
SHA5128ee458e9f95f95b5a436c4bcfb6bd17ec50c8f9a2e76633a5485c0787e6d6c29251c581ac5034b66f4acf7eb4df3b2b045b87890db374a57ee37c2773dca203c
-
Filesize
89KB
MD5f1551f244c0b734ae4ecfb8752d3a404
SHA1e49bd54b4385dc68fc3bd6adba47961eee0c0e26
SHA2568e77d830fe73e31dab5aca0e247d01e135ce73e782777ba1fe8ba5104f587e93
SHA512a5c9fd40a685893b675d5fc1fcc181b1d107d5a711824030e35262b8136b13b17af8999caa4117e022b25bedd7c76fd19d056aa9e3afd2b41fef9307a2545207
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
89KB
MD51cd2737f081571cd162070c70d0564af
SHA1d5bcb147edb8b9530a5312cf72fe186b0c5e13fd
SHA2567d7c9e71930dd68439ee58adf1cb3f56a02238b73dc5e854de1a957b31eaa500
SHA51237cf4fd84eb4bee4bb2133ad5fd2873914f45e69ca13d9a09c0590f0efc9411d1b96c94a2756225badb021de2056a2b8694d220780f148180cab230430e64d5a