modiloader | 93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c.xls
Size

967KB
MD5

30c72d7387b2033675119cc82906bbb8
SHA1

e3c3f070b85f9c991069b408e7147bd1b19882bb
SHA256

93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c
SHA512

3368a3bb66f88dde45120e072b9a04a36d799961dcb230785745ba5ee916ebf8272fc2fb896a935ddfcc636fe7e09e0711fa0f663674eb08461fde44a6602f69
SSDEEP

24576:SUP/mMxAF77GF0SNjs6ivPQbA2j3AOk6N1Y:SGsNk0SNjs5PAVUl

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2400-181-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-184-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-182-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-183-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-185-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-188-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-187-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-189-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-190-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-191-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-193-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-195-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-198-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-199-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-200-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-202-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-207-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-208-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-209-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-205-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-214-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-212-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-216-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-218-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-219-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-220-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-225-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-222-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-192-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-227-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-232-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-229-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-234-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-237-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-239-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-241-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-244-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-246-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-248-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-251-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-255-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-253-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-257-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-259-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-262-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-194-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-223-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-221-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-217-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-215-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-213-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-211-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-210-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-206-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-204-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-203-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-201-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-197-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-196-0x0000000003660000-0x0000000004660000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

30 1040 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

igcc.exe

pid process

2400 igcc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1040 EQNEDT32.EXE
1040 EQNEDT32.EXE
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1040 EQNEDT32.EXE

flow	pid	process
30	1040	EQNEDT32.EXE

pid	process
2400	igcc.exe

pid	process
1040	EQNEDT32.EXE
1040	EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1040	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2076 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2076 EXCEL.EXE
2076 EXCEL.EXE
2076 EXCEL.EXE
2180 WINWORD.EXE
2180 WINWORD.EXE
2076 EXCEL.EXE
2076 EXCEL.EXE
2076 EXCEL.EXE

pid	process
2076	EXCEL.EXE

pid	process
2076	EXCEL.EXE
2076	EXCEL.EXE
2076	EXCEL.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
2076	EXCEL.EXE
2076	EXCEL.EXE
2076	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXE

description	pid	process	target process
PID 1040 wrote to memory of 2400	1040	EQNEDT32.EXE	igcc.exe
PID 1040 wrote to memory of 2400	1040	EQNEDT32.EXE	igcc.exe
PID 1040 wrote to memory of 2400	1040	EQNEDT32.EXE	igcc.exe
PID 1040 wrote to memory of 2400	1040	EQNEDT32.EXE	igcc.exe
PID 2180 wrote to memory of 3036	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 3036	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 3036	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 3036	2180	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3036

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\igcc.exe
"C:\Users\Admin\AppData\Roaming\igcc.exe"
2⤵
- Executes dropped EXE
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
872e1d9dbf4a7ef3dc0a2a5030f65126

SHA1
66ee0cc17f1215686feaecc07de0eedb7f359aac

SHA256
67d518b9afd3474806418f4bb1236863e31a3af830eac77868c3a0d223cd5d36

SHA512
53ecf008a1d85cf3f321045251d6d0ded561f0c64378f168ce666a84ee19709c1c2b0385a802d9821a51e4db0477d2fb9543e56b0b37ce27b45b63b7a6f00bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5D5DB427-058E-44B7-B9CD-AB47205BD172}.FSD
Filesize
128KB

MD5
452c50754585c1d947f6350ca6d4b16f

SHA1
584b7c4826deca304b713d40f06f841aa5283b30

SHA256
6f74c850b0e458c5b97e75795f2e8298c8d19ebb16e6c1065392c8ec4f95fec9

SHA512
822d38daaa806150dbfc77cd7bb1b1fe142848a38bb5cbadf2276da4ff5013ead2c0cee85b52f7f67623872bde0990d1edc5b99899ef35e66bd0cce37f6f923a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
c5ac46a6cc866ffd68f6b29bcd18bf41

SHA1
49cf1e5d040ed8fd5b034527160db31249725873

SHA256
3ab23f7836d51cfe17eff65637dc449a0c46aaeebbb5e8593407bb675c1f7ca3

SHA512
7acccb30fb1263a34f4735131fefd2c63f3a4f80c461f2839d3fadf26627520a0e37f1c261488c7efe5c44d8b40a64c3124aa1bc83d153157c9eec70832f4089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{22C18D51-BD3D-484C-A242-C277D9BA8BC6}.FSD
Filesize
128KB

MD5
9b0db091d05155abe5a8061d4c8fc6fc

SHA1
3b6f0620f116ab8fa2939d0ef00b15fe90f6f019

SHA256
d89b40cb560b179c37d7a8b9f8220d75914826368adb08e11c452bb3181a4064

SHA512
f9ea7b97b063d28856f99c0933841e03ea97a79398f5c68bb1fb867e49958bd5a4b6882a6346d439383a8d69b3d9715dd80dfb2306a52717758ad3d632929989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0DW1CQS\lionsareveryinterstingcharacteroneverytimetounderstandthewayofhowitsfinetogetmebackintheforestsuchagreat__lionsarekingofjungle[1].doc
Filesize
104KB

MD5
fe30d755f7243a16d47bf6f37b929cd2

SHA1
a3d84850f11e67516e21914997944d19e41d2bf2

SHA256
5d7601529aeeebfd4e2f2a4f5320d7f276200b3f04bbb414c66345f586a23b0f

SHA512
b040f620da8c2766c6c73cb6f6e3c5d913e77f5b5ed3931d46cd6cbad74d434581e40d57fa98ef506e3344479e7bc259b091b05b11f1d854528e3ae393d3879c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab396B.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B61.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{582B30C5-25B3-4BE6-9F0F-5E2CCA2DA900}
Filesize
128KB

MD5
e16674aa4262fe3ef6a8461abdd41252

SHA1
46369a55ced924925fc1a2b08d4939e324e7f104

SHA256
f97b71ac5bde4785fc769783a0008c6145272c02d3a9e1ba773c362e81adf487

SHA512
a2c5b0280d5d0d348f713eff31ff432184c1675d3edc7bd1725295ddbec664fb164e34695cebb686a26d8d319695d3f84ecd335620ab485daa6e438b214fad4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
41B

MD5
af8140cc80e6001b0c58d1ad30c08355

SHA1
140543c6133298fab84b6b19c87a548b690ee9be

SHA256
14d4fbf228b0cfa2f836efa4d1eeab308aa9654324a47a8fb1523cc868cb6522

SHA512
0612591ccd969b15de211bac514473b9e78881fc5efd7ca4e75b1eef82923ea90696445dd025c6c23b6e559183ca777bad96844faccc04024faa366c71afe6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J8JUG2OR.txt
Filesize
70B

MD5
61b390c3a54a52dbef8a45713890671c

SHA1
dff58d532d09754fbf28b925ebd19fa9246c4f24

SHA256
01eb1def3876986c1c8b66bf69ab584aeedd385465120bfce666707d1b710816

SHA512
e3ebd89f1309cbbf2b6fc8963b44f2db500a1abd64e55bf79c39ae6b58d30735709f4b9386159f66042ebc8a3a49c78fb0bd0e65a2e75598d4ad02cbf089e8c4

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe
Filesize
1.2MB

MD5
c57b287858b87f3528e1366bcb4359e8

SHA1
2629391b45ae9cb08c5df8dd53bdc7c7f222c171

SHA256
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664

SHA512
0100caab7532f3adeb4f6302c76dd44e2ab5ebca9dde4e39d73895d4ecda7341e825b73aa4ebeac16873be79c0352c60baec5c59508429043c9515c777202476

Download Submit
memory/2076-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2076-151-0x000000007225D000-0x0000000072268000-memory.dmp

Filesize
44KB

Download
memory/2076-87-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/2076-1-0x000000007225D000-0x0000000072268000-memory.dmp

Filesize
44KB

Download
memory/2180-84-0x000000007225D000-0x0000000072268000-memory.dmp

Filesize
44KB

Download
memory/2180-86-0x0000000002540000-0x0000000002542000-memory.dmp

Filesize
8KB

Download
memory/2180-152-0x000000007225D000-0x0000000072268000-memory.dmp

Filesize
44KB

Download
memory/2180-82-0x000000002F9A1000-0x000000002F9A2000-memory.dmp

Filesize
4KB

Download
memory/2400-209-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-192-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-182-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-183-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-185-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-186-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/2400-188-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-187-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-189-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-190-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-191-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-193-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-195-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-198-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-199-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-200-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-202-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-207-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-208-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-181-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-205-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-214-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-212-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-216-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-218-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-219-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-220-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-225-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-222-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-184-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-227-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-232-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-229-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-234-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-237-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-239-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-241-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-244-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-246-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-248-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-251-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-255-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-253-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-257-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-259-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-262-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-194-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-223-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-221-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-217-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-215-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-213-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-211-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-210-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-206-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-204-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-203-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-201-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-197-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download
memory/2400-196-0x0000000003660000-0x0000000004660000-memory.dmp

Filesize
16.0MB

Download