Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 20:31
Static task
static1
Behavioral task
behavioral1
Sample
314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe
Resource
win10v2004-20240704-en
General
-
Target
314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe
-
Size
76KB
-
MD5
6624244fb473d9c3a55a38c139dc49fb
-
SHA1
b232cacb27d7ccb00697d0c55733066205674b72
-
SHA256
314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685
-
SHA512
d782f2f737a7cc738763c6985a325a9d75c7ebbda63d13075ac92656428efa28e8fa5ac8b74fb19608b2a493340b2ea1a51da49926119868a447db60b58c603c
-
SSDEEP
1536:va3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIW:S8dfX7y9DZ+N7eB+IIW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Executes dropped EXE 15 IoCs
pid Process 2244 SVCHOST.EXE 4736 SVCHOST.EXE 1968 SVCHOST.EXE 2964 SVCHOST.EXE 988 SVCHOST.EXE 996 SPOOLSV.EXE 1004 SVCHOST.EXE 3752 SVCHOST.EXE 2840 SPOOLSV.EXE 5104 SPOOLSV.EXE 3240 SVCHOST.EXE 3268 SPOOLSV.EXE 4532 SVCHOST.EXE 1528 SVCHOST.EXE 1684 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened for modification F:\Recycled\desktop.ini 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\H: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\J: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\M: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\P: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\Q: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\R: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\U: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\G: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\S: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\I: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\L: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\N: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\T: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\O: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\Y: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\X: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\Z: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\E: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\V: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened (read-only) \??\W: 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\QuickTip = "prop:Type;Size" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\TileInfo = "prop:Type;Size" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3476 WINWORD.EXE 3476 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 2244 SVCHOST.EXE 2244 SVCHOST.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 996 SPOOLSV.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE 1968 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 2244 SVCHOST.EXE 4736 SVCHOST.EXE 1968 SVCHOST.EXE 2964 SVCHOST.EXE 988 SVCHOST.EXE 996 SPOOLSV.EXE 1004 SVCHOST.EXE 3752 SVCHOST.EXE 2840 SPOOLSV.EXE 5104 SPOOLSV.EXE 3240 SVCHOST.EXE 3268 SPOOLSV.EXE 4532 SVCHOST.EXE 1528 SVCHOST.EXE 1684 SPOOLSV.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE 3476 WINWORD.EXE -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 864 wrote to memory of 2244 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 93 PID 864 wrote to memory of 2244 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 93 PID 864 wrote to memory of 2244 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 93 PID 2244 wrote to memory of 4736 2244 SVCHOST.EXE 94 PID 2244 wrote to memory of 4736 2244 SVCHOST.EXE 94 PID 2244 wrote to memory of 4736 2244 SVCHOST.EXE 94 PID 2244 wrote to memory of 1968 2244 SVCHOST.EXE 95 PID 2244 wrote to memory of 1968 2244 SVCHOST.EXE 95 PID 2244 wrote to memory of 1968 2244 SVCHOST.EXE 95 PID 1968 wrote to memory of 2964 1968 SVCHOST.EXE 96 PID 1968 wrote to memory of 2964 1968 SVCHOST.EXE 96 PID 1968 wrote to memory of 2964 1968 SVCHOST.EXE 96 PID 1968 wrote to memory of 988 1968 SVCHOST.EXE 97 PID 1968 wrote to memory of 988 1968 SVCHOST.EXE 97 PID 1968 wrote to memory of 988 1968 SVCHOST.EXE 97 PID 1968 wrote to memory of 996 1968 SVCHOST.EXE 98 PID 1968 wrote to memory of 996 1968 SVCHOST.EXE 98 PID 1968 wrote to memory of 996 1968 SVCHOST.EXE 98 PID 996 wrote to memory of 1004 996 SPOOLSV.EXE 99 PID 996 wrote to memory of 1004 996 SPOOLSV.EXE 99 PID 996 wrote to memory of 1004 996 SPOOLSV.EXE 99 PID 996 wrote to memory of 3752 996 SPOOLSV.EXE 100 PID 996 wrote to memory of 3752 996 SPOOLSV.EXE 100 PID 996 wrote to memory of 3752 996 SPOOLSV.EXE 100 PID 996 wrote to memory of 2840 996 SPOOLSV.EXE 101 PID 996 wrote to memory of 2840 996 SPOOLSV.EXE 101 PID 996 wrote to memory of 2840 996 SPOOLSV.EXE 101 PID 2244 wrote to memory of 5104 2244 SVCHOST.EXE 102 PID 2244 wrote to memory of 5104 2244 SVCHOST.EXE 102 PID 2244 wrote to memory of 5104 2244 SVCHOST.EXE 102 PID 864 wrote to memory of 3240 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 103 PID 864 wrote to memory of 3240 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 103 PID 864 wrote to memory of 3240 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 103 PID 864 wrote to memory of 3268 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 104 PID 864 wrote to memory of 3268 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 104 PID 864 wrote to memory of 3268 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 104 PID 864 wrote to memory of 4532 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 105 PID 864 wrote to memory of 4532 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 105 PID 864 wrote to memory of 4532 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 105 PID 864 wrote to memory of 1528 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 106 PID 864 wrote to memory of 1528 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 106 PID 864 wrote to memory of 1528 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 106 PID 864 wrote to memory of 1684 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 107 PID 864 wrote to memory of 1684 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 107 PID 864 wrote to memory of 1684 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 107 PID 864 wrote to memory of 3476 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 108 PID 864 wrote to memory of 3476 864 314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe"C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3268
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,13421008738336098502,1902686380018635081,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD573ef51af155a388c3a80ea66e2fbbc84
SHA11390af4beae141ae83235cb502b2178f73974dbc
SHA25658e99c84546b375aa8d9336173a140ea39d79dfe765a868d053f8345c47f0414
SHA5120dcc7605508fa4bb6fe425c1d98c03599e2a805be7297d2f9541318ba7e5bd9e33f6f32926880ef856b37fa4d40c90afe264ddc01975eea627d413b2214e2229
-
Filesize
76KB
MD52ce1c7c03e600b6b05afb71d943a0636
SHA1a74d7b51f693891d37a1c94e3da5d88931db73a6
SHA256b42343f8060671d524c92e42f191fb0d1a730211c488d3ee79182b1fa3dad2cf
SHA5126b93fd336155e833c0e57af5181ef75b04b52583c008b4cde2b157d94c7760a431b517a987ebd49c38022fcdf80ca710e4c0989370624d0edb9cc24da076b8ac
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
76KB
MD5d51be706bc178f5c71d7ccaf8c73dff9
SHA18990d45e1ec689650617bb00a514af334d52edd6
SHA25684db22d513a99488d0eee1b5c1cb7440abad226460493a94b1e1ecc8baccb912
SHA51216756b82a092a8e149cb529e73dd397059f3a0188b2b0e2f673a6649869e590b76b18cedfc7c477a4747f651740c1bc52e14b52858f200c40982f5f522584290
-
Filesize
76KB
MD5d3aa57cd07bab60ae94cba3ec0def833
SHA1be92485221fab872b0729e300913d377edc7d32b
SHA256a6786b972cd98fb1214b05afa92cede342fd0c33f926159239b2c89e58ad9921
SHA5127ad8bd2dea8c971ef32b457db96ce290d8c0a1a72d176fbc4b87a4b8efd92c365bbf6cad2f3ffcc4be4ae177650e574f7da3487c782af05153710942f3542638
-
Filesize
76KB
MD53e54fed93304b30d43f80c39e900be21
SHA1e7fa0df82dd96c95b6b8b511aaa4ca78f714f3dc
SHA256459e215b2cf8ed689f5088a6af7e035770b1820351adcd708b772e658b95283e
SHA512451bba10006b769f85ccd8145731addce36e1afa788a199b2e4660bf254073874e0f14e4f2107b3796b2aadbcdb7bc246c975194e031b96e072f5c7838b5ba50
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
76KB
MD5eae47a0db2132ee263837a1459a4ec01
SHA1b2b22eec57bd5dc251ad443ebc85845407db739a
SHA2564061cbdd36cbda90745ef6355b1f3c764f4b113ef996e2f3a5112a4c28af3a86
SHA51284c4582b547cbc0e9891a8eb40f719f38ae40f94db2326a566a4a1e72d5e513cad03e9c3e3f11124972260338e3f19f61e1f713bc4ba3e1f46bba8bf9b01fe57