Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
Resource
win10v2004-20241007-en
General
-
Target
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe
-
Size
45KB
-
MD5
7e31ad528b1973d37e042032eabeed55
-
SHA1
2b4202d461a20336791aadf7c87ce70e605b2235
-
SHA256
b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e
-
SHA512
6f655179b0791921637ca2ee485287e2a85baa2ca1fb5d32456f5708964c5a2a74c091cde17a1912868bcc6d8d36f72b40a78ad48439ce1fb7f5746d482aa56d
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JX1:EOxyeFo6NPCAosxYyXdF5oy3VoK1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Executes dropped EXE 12 IoCs
pid Process 5024 SVCHOST.EXE 2548 SVCHOST.EXE 1216 SVCHOST.EXE 320 SVCHOST.EXE 736 SVCHOST.EXE 1052 SPOOLSV.EXE 3056 SVCHOST.EXE 3300 SVCHOST.EXE 4644 SPOOLSV.EXE 1844 SPOOLSV.EXE 3384 SVCHOST.EXE 2960 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened for modification F:\Recycled\desktop.ini b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\R: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\W: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\N: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\O: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\G: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\P: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\T: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\I: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\J: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\X: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\U: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\Z: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\Q: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\E: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\K: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\V: b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe File opened (read-only) \??\T: SVCHOST.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\QuickTip = "prop:Type;Size" b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4244 WINWORD.EXE 4244 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1052 SPOOLSV.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 5024 SVCHOST.EXE 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 5024 SVCHOST.EXE 2548 SVCHOST.EXE 1216 SVCHOST.EXE 320 SVCHOST.EXE 736 SVCHOST.EXE 1052 SPOOLSV.EXE 3056 SVCHOST.EXE 3300 SVCHOST.EXE 4644 SPOOLSV.EXE 1844 SPOOLSV.EXE 3384 SVCHOST.EXE 2960 SPOOLSV.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2816 wrote to memory of 5024 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 84 PID 2816 wrote to memory of 5024 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 84 PID 2816 wrote to memory of 5024 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 84 PID 5024 wrote to memory of 2548 5024 SVCHOST.EXE 85 PID 5024 wrote to memory of 2548 5024 SVCHOST.EXE 85 PID 5024 wrote to memory of 2548 5024 SVCHOST.EXE 85 PID 5024 wrote to memory of 1216 5024 SVCHOST.EXE 87 PID 5024 wrote to memory of 1216 5024 SVCHOST.EXE 87 PID 5024 wrote to memory of 1216 5024 SVCHOST.EXE 87 PID 1216 wrote to memory of 320 1216 SVCHOST.EXE 88 PID 1216 wrote to memory of 320 1216 SVCHOST.EXE 88 PID 1216 wrote to memory of 320 1216 SVCHOST.EXE 88 PID 1216 wrote to memory of 736 1216 SVCHOST.EXE 90 PID 1216 wrote to memory of 736 1216 SVCHOST.EXE 90 PID 1216 wrote to memory of 736 1216 SVCHOST.EXE 90 PID 1216 wrote to memory of 1052 1216 SVCHOST.EXE 91 PID 1216 wrote to memory of 1052 1216 SVCHOST.EXE 91 PID 1216 wrote to memory of 1052 1216 SVCHOST.EXE 91 PID 1052 wrote to memory of 3056 1052 SPOOLSV.EXE 92 PID 1052 wrote to memory of 3056 1052 SPOOLSV.EXE 92 PID 1052 wrote to memory of 3056 1052 SPOOLSV.EXE 92 PID 1052 wrote to memory of 3300 1052 SPOOLSV.EXE 93 PID 1052 wrote to memory of 3300 1052 SPOOLSV.EXE 93 PID 1052 wrote to memory of 3300 1052 SPOOLSV.EXE 93 PID 1052 wrote to memory of 4644 1052 SPOOLSV.EXE 94 PID 1052 wrote to memory of 4644 1052 SPOOLSV.EXE 94 PID 1052 wrote to memory of 4644 1052 SPOOLSV.EXE 94 PID 5024 wrote to memory of 1844 5024 SVCHOST.EXE 95 PID 5024 wrote to memory of 1844 5024 SVCHOST.EXE 95 PID 5024 wrote to memory of 1844 5024 SVCHOST.EXE 95 PID 2816 wrote to memory of 3384 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 96 PID 2816 wrote to memory of 3384 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 96 PID 2816 wrote to memory of 3384 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 96 PID 2816 wrote to memory of 2960 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 97 PID 2816 wrote to memory of 2960 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 97 PID 2816 wrote to memory of 2960 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 97 PID 5024 wrote to memory of 4760 5024 SVCHOST.EXE 98 PID 5024 wrote to memory of 4760 5024 SVCHOST.EXE 98 PID 5024 wrote to memory of 4760 5024 SVCHOST.EXE 98 PID 4760 wrote to memory of 3044 4760 userinit.exe 99 PID 4760 wrote to memory of 3044 4760 userinit.exe 99 PID 4760 wrote to memory of 3044 4760 userinit.exe 99 PID 2816 wrote to memory of 4244 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 102 PID 2816 wrote to memory of 4244 2816 b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:320
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:736
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1844
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3384
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b3e23b2320be3dd7cdb52adebc1994250d7e5bbf7fa92d0e4b98141654e7070e.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4244
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD573245931ac95aaace1168bbfc943830f
SHA11321389d467c034a7bf7adf9d1fde6a5601e05b8
SHA25616b07171633b79e315654b0f7c3c9692f984a4cd5f06a03948a2d71d1ce3981c
SHA512100056c247b8332868875b1e6f869341c46f6f2cc8ed1905216795adf1115ab3916b8872b6358b7cfd672feb40cecf9699345d54e1bf9a78c9590cd6ee107ae7
-
Filesize
45KB
MD57d5bc6e1aac6191214fdd38ccbbc3566
SHA1c7f085ecd5c8f9d3a4213b3b7396bacbad5afc13
SHA256bb2350a7c50fc510c5504653bf5eeeb1eb7cc123efd0bc89c3f4aa52515063df
SHA512fa22625b2831cc69b4a4142306bc3a9de91f06a020389e63ba79a45db053fdc4f4e26d31e4481775b78c21ca268229ae9c3c3f7f1456cccc383737093228ef73
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD536f9f47e33492c80a28858ef1d599e91
SHA1a5dde8b82852194cf38fa341455e1c936b2de12f
SHA25671831469a233d4b9337438a53ee21cb917a269d0a657d0b86d5664611006c490
SHA512ae4d35b0cf32bbf7525c0ba425f00015b9d6349a9f9bcd91149554e06938e70144ea30ccb249aa95258c8e3b25fb4ff56f7777f69d3917564dca1c49e0c7a64c