Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
Resource
win10v2004-20241007-en
General
-
Target
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
-
Size
45KB
-
MD5
7e31ad528b1973d37e042032eabeed55
-
SHA1
2b4202d461a20336791aadf7c87ce70e605b2235
-
SHA256
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e
-
SHA512
6f655179b0791921637ca2ee485287e2a85baa2ca1fb5d32456f5708964c5a2a74c091cde17a1912868bcc6d8d36f72b40a78ad48439ce1fb7f5746d482aa56d
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JX1:EOxyeFo6NPCAosxYyXdF5oy3VoK1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Executes dropped EXE 12 IoCs
pid Process 2528 SVCHOST.EXE 2736 SVCHOST.EXE 2892 SVCHOST.EXE 2312 SVCHOST.EXE 2916 SVCHOST.EXE 1980 SPOOLSV.EXE 2604 SVCHOST.EXE 2680 SVCHOST.EXE 2332 SPOOLSV.EXE 1108 SPOOLSV.EXE 2564 SVCHOST.EXE 2820 SPOOLSV.EXE -
Loads dropped DLL 21 IoCs
pid Process 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened for modification F:\Recycled\desktop.ini b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\O: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\E: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\N: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\V: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\G: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\J: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\K: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\T: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\Y: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\L: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\P: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\S: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\Q: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\H: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\R: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\I: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\W: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 28 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2364 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2528 SVCHOST.EXE 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 2892 SVCHOST.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE 1980 SPOOLSV.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2528 SVCHOST.EXE 2736 SVCHOST.EXE 2892 SVCHOST.EXE 2312 SVCHOST.EXE 2916 SVCHOST.EXE 1980 SPOOLSV.EXE 2604 SVCHOST.EXE 2680 SVCHOST.EXE 2332 SPOOLSV.EXE 1108 SPOOLSV.EXE 2564 SVCHOST.EXE 2820 SPOOLSV.EXE 2364 WINWORD.EXE 2364 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2528 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 30 PID 2096 wrote to memory of 2528 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 30 PID 2096 wrote to memory of 2528 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 30 PID 2096 wrote to memory of 2528 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 30 PID 2528 wrote to memory of 2736 2528 SVCHOST.EXE 31 PID 2528 wrote to memory of 2736 2528 SVCHOST.EXE 31 PID 2528 wrote to memory of 2736 2528 SVCHOST.EXE 31 PID 2528 wrote to memory of 2736 2528 SVCHOST.EXE 31 PID 2528 wrote to memory of 2892 2528 SVCHOST.EXE 32 PID 2528 wrote to memory of 2892 2528 SVCHOST.EXE 32 PID 2528 wrote to memory of 2892 2528 SVCHOST.EXE 32 PID 2528 wrote to memory of 2892 2528 SVCHOST.EXE 32 PID 2892 wrote to memory of 2312 2892 SVCHOST.EXE 33 PID 2892 wrote to memory of 2312 2892 SVCHOST.EXE 33 PID 2892 wrote to memory of 2312 2892 SVCHOST.EXE 33 PID 2892 wrote to memory of 2312 2892 SVCHOST.EXE 33 PID 2892 wrote to memory of 2916 2892 SVCHOST.EXE 34 PID 2892 wrote to memory of 2916 2892 SVCHOST.EXE 34 PID 2892 wrote to memory of 2916 2892 SVCHOST.EXE 34 PID 2892 wrote to memory of 2916 2892 SVCHOST.EXE 34 PID 2892 wrote to memory of 1980 2892 SVCHOST.EXE 35 PID 2892 wrote to memory of 1980 2892 SVCHOST.EXE 35 PID 2892 wrote to memory of 1980 2892 SVCHOST.EXE 35 PID 2892 wrote to memory of 1980 2892 SVCHOST.EXE 35 PID 1980 wrote to memory of 2604 1980 SPOOLSV.EXE 36 PID 1980 wrote to memory of 2604 1980 SPOOLSV.EXE 36 PID 1980 wrote to memory of 2604 1980 SPOOLSV.EXE 36 PID 1980 wrote to memory of 2604 1980 SPOOLSV.EXE 36 PID 1980 wrote to memory of 2680 1980 SPOOLSV.EXE 37 PID 1980 wrote to memory of 2680 1980 SPOOLSV.EXE 37 PID 1980 wrote to memory of 2680 1980 SPOOLSV.EXE 37 PID 1980 wrote to memory of 2680 1980 SPOOLSV.EXE 37 PID 1980 wrote to memory of 2332 1980 SPOOLSV.EXE 38 PID 1980 wrote to memory of 2332 1980 SPOOLSV.EXE 38 PID 1980 wrote to memory of 2332 1980 SPOOLSV.EXE 38 PID 1980 wrote to memory of 2332 1980 SPOOLSV.EXE 38 PID 2528 wrote to memory of 1108 2528 SVCHOST.EXE 39 PID 2528 wrote to memory of 1108 2528 SVCHOST.EXE 39 PID 2528 wrote to memory of 1108 2528 SVCHOST.EXE 39 PID 2528 wrote to memory of 1108 2528 SVCHOST.EXE 39 PID 2096 wrote to memory of 2564 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 40 PID 2096 wrote to memory of 2564 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 40 PID 2096 wrote to memory of 2564 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 40 PID 2096 wrote to memory of 2564 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 40 PID 2528 wrote to memory of 2024 2528 SVCHOST.EXE 41 PID 2528 wrote to memory of 2024 2528 SVCHOST.EXE 41 PID 2528 wrote to memory of 2024 2528 SVCHOST.EXE 41 PID 2528 wrote to memory of 2024 2528 SVCHOST.EXE 41 PID 2096 wrote to memory of 2820 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 42 PID 2096 wrote to memory of 2820 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 42 PID 2096 wrote to memory of 2820 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 42 PID 2096 wrote to memory of 2820 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 42 PID 2096 wrote to memory of 2364 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 43 PID 2096 wrote to memory of 2364 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 43 PID 2096 wrote to memory of 2364 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 43 PID 2096 wrote to memory of 2364 2096 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 43 PID 2024 wrote to memory of 1896 2024 userinit.exe 44 PID 2024 wrote to memory of 1896 2024 userinit.exe 44 PID 2024 wrote to memory of 1896 2024 userinit.exe 44 PID 2024 wrote to memory of 1896 2024 userinit.exe 44 PID 2364 wrote to memory of 1988 2364 WINWORD.EXE 47 PID 2364 wrote to memory of 1988 2364 WINWORD.EXE 47 PID 2364 wrote to memory of 1988 2364 WINWORD.EXE 47 PID 2364 wrote to memory of 1988 2364 WINWORD.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.doc"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1988
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD51b07795f006bc30deffc46ea42308fc8
SHA1f468797e9c1dc664d868389ae07dd16e5c02110b
SHA2569f362d37e12aceee3234f09b6819ff1554e46e0552df39f50b07b158ad436cb7
SHA512d320c2511fda706885a5a274a52b3dd73c81e2bc8f87b0b1de5e146a8981b21f426ca269fa74d401d71b0ff41cb5836a4432bb857b601f78ff13e2e085c45c0a
-
Filesize
45KB
MD502cf194c8a5c5d42feba4290fa25770d
SHA123ecff4101bf855b19c154dba8217590a47f6c1e
SHA256abb3ff529c29ccb83e6919701e4248dadf8597e1106ea7fbe2871dbcec2ad07a
SHA5127471199a8f7bb1f7f6ebb812573e98e17c3fcf61b0098c6d4b7f55d013e3e6f1756c9719a5b5a8c1566820e7c3adefacb19d36b4c6e0559b15cb9d161324bb21
-
Filesize
45KB
MD51ef33fe05131f9a92875b7d8b240580a
SHA19049fe32c791b0229581db3a82f29a3e02c8c5c8
SHA25647e54753d47b99f5ff7ffc8a7ed6cffdef95421ab9c3f777fc1c22fb33e193b1
SHA512c9322e2189b6306a677169d31ed8bccddf897df2bf838adc6edeaebfa15496d56ab44d9c078f1ead1370b9c15cdcb9a8ab51b37133432f33cf785d5af5c750a9