Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe
-
Size
87KB
-
MD5
fdd771260012bb7d852d90d8dcd20f19
-
SHA1
6c312d5669847e7afeb1983337c58e3fd15dcb2a
-
SHA256
c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5
-
SHA512
8a630e37499b56a9a6fc6492dba020b586faaf1e7d4d83d3309b88631175ceddc9296ed3cbefea7aa4e66e553112640ae142216b30ee86c8f65e423b3321995f
-
SSDEEP
1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoI3:08dfX7y9DZ+N7eB+II3
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe -
Executes dropped EXE 12 IoCs
pid Process 2060 SVCHOST.EXE 804 SVCHOST.EXE 1780 SVCHOST.EXE 3648 SVCHOST.EXE 5068 SVCHOST.EXE 3044 SPOOLSV.EXE 2240 SVCHOST.EXE 2508 SVCHOST.EXE 396 SPOOLSV.EXE 5028 SPOOLSV.EXE 1000 SVCHOST.EXE 3728 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened for modification F:\Recycled\desktop.ini c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\H: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\G: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\L: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\E: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\K: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\U: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\X: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Y: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\O: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\R: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\T: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\J: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\Q: c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 3044 SPOOLSV.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 1780 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE 2060 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 2060 SVCHOST.EXE 804 SVCHOST.EXE 1780 SVCHOST.EXE 3648 SVCHOST.EXE 5068 SVCHOST.EXE 3044 SPOOLSV.EXE 2240 SVCHOST.EXE 2508 SVCHOST.EXE 396 SPOOLSV.EXE 5028 SPOOLSV.EXE 1000 SVCHOST.EXE 3728 SPOOLSV.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3724 wrote to memory of 2060 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 83 PID 3724 wrote to memory of 2060 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 83 PID 3724 wrote to memory of 2060 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 83 PID 2060 wrote to memory of 804 2060 SVCHOST.EXE 84 PID 2060 wrote to memory of 804 2060 SVCHOST.EXE 84 PID 2060 wrote to memory of 804 2060 SVCHOST.EXE 84 PID 2060 wrote to memory of 1780 2060 SVCHOST.EXE 86 PID 2060 wrote to memory of 1780 2060 SVCHOST.EXE 86 PID 2060 wrote to memory of 1780 2060 SVCHOST.EXE 86 PID 1780 wrote to memory of 3648 1780 SVCHOST.EXE 88 PID 1780 wrote to memory of 3648 1780 SVCHOST.EXE 88 PID 1780 wrote to memory of 3648 1780 SVCHOST.EXE 88 PID 1780 wrote to memory of 5068 1780 SVCHOST.EXE 89 PID 1780 wrote to memory of 5068 1780 SVCHOST.EXE 89 PID 1780 wrote to memory of 5068 1780 SVCHOST.EXE 89 PID 1780 wrote to memory of 3044 1780 SVCHOST.EXE 90 PID 1780 wrote to memory of 3044 1780 SVCHOST.EXE 90 PID 1780 wrote to memory of 3044 1780 SVCHOST.EXE 90 PID 3044 wrote to memory of 2240 3044 SPOOLSV.EXE 92 PID 3044 wrote to memory of 2240 3044 SPOOLSV.EXE 92 PID 3044 wrote to memory of 2240 3044 SPOOLSV.EXE 92 PID 3044 wrote to memory of 2508 3044 SPOOLSV.EXE 93 PID 3044 wrote to memory of 2508 3044 SPOOLSV.EXE 93 PID 3044 wrote to memory of 2508 3044 SPOOLSV.EXE 93 PID 3044 wrote to memory of 396 3044 SPOOLSV.EXE 94 PID 3044 wrote to memory of 396 3044 SPOOLSV.EXE 94 PID 3044 wrote to memory of 396 3044 SPOOLSV.EXE 94 PID 2060 wrote to memory of 5028 2060 SVCHOST.EXE 95 PID 2060 wrote to memory of 5028 2060 SVCHOST.EXE 95 PID 2060 wrote to memory of 5028 2060 SVCHOST.EXE 95 PID 3724 wrote to memory of 1000 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 96 PID 3724 wrote to memory of 1000 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 96 PID 3724 wrote to memory of 1000 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 96 PID 3724 wrote to memory of 3728 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 97 PID 3724 wrote to memory of 3728 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 97 PID 3724 wrote to memory of 3728 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 97 PID 3724 wrote to memory of 1520 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 98 PID 3724 wrote to memory of 1520 3724 c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe"C:\Users\Admin\AppData\Local\Temp\c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:804
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:396
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5028
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3728
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD58617d6e779cf8deb5a08d79eec05d6a5
SHA1458b490db65bcda3cff1120bc12dd1ccbc1b3fed
SHA25633f0ecbbd5dabf79865a2354fc22bef26c8bc9e1d3d4d36feec8b39a9b169ee3
SHA51275800cc9a3a408d9c06533bde413a7a7e6952de74911fd7bd7bcac0ae4e823e01aba61d069508bd22c041981ad5a06dadec842ad9d3a16a49df8ea3ddafadb7c
-
Filesize
87KB
MD5221b19ab9b3b5cb4b1f70b070006710a
SHA17b8471569b7a0b44edb560c152cb09fdf01ad7bc
SHA256ec438467717927e996dbb6a6f29f592e7d170e74201f89e1cc7a555145c6c51a
SHA51225cfcd853070bc54199bd3e127d8be50ec627fac4428cb0939a9f5d15da28293d33733cbcc0a3589c5edc3938ca6546a8d4e958a15598d703fce0e9b6920f349
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\c6f0de1f19297d125dbcf7968826747c0ed6e0220a564309e79d2843282b32d5.doc
Filesize35B
MD509e4a6ba7a65496e2774c8a222722040
SHA17bf0ac65557efa06dc202e7a1b5dee90c1aa92d0
SHA256aa13928c84299cdbf9cb5440e290ffce9744496998a21b9b67ff4e5f887d9d9f
SHA5128511791174aef257920deed01dcbdee1cc7513c4d75c3ff5c7798672f754927d49c59def7c00c62a1b05b35226a1d2e0b433e8fe1843564765845a02f4cd7eab
-
Filesize
87KB
MD5441dfee06ffe441f5da2b923c25c73be
SHA1921a86e67093f3201e588bc36d9f4af9bdf61a8d
SHA2569f5ec78a2378d87de51881c7cbecabffe121c068fa4ae6bb412b673898fab689
SHA5127d1cb5110f3f8380d7c9815a6db5ce619758826a48da6a76c7d2c2a13c7213f46140af66369608f39c930a01002129c0ac1a07ef8428e56e92800d3577dafa91
-
Filesize
87KB
MD5591f3a5394993961e8c81fc2468e378c
SHA1b47ee0cd3fc5ee5d36f6dd099ca3ebda34cabda3
SHA2560bfd4a305f473f74f378551870cf0e05729e3794ff7a55711813bee241d2da54
SHA51260cc5246f6d934ad58ec79680932948b2f267ac55d78597207cba8006c48c4e634affa8cfdde86fe558c69a8cd7dedc764dcc506d5d547eb6ac6cff4a5a1ba85
-
Filesize
87KB
MD58ec543744e5208585316ad0eccd04235
SHA123ee596652ce578e7562595d20ff6cbbda8f146e
SHA25616ce98003bc7a9d7cc90fa4d1e6849b5c51bfaa46302da1439763df4a69913cb
SHA512caec81e91460d9a16c097dee6d46413809e0817525a01591dbcb0f1ca1c3051815f904a8d28e2fdd11908a2275e7c8e3000d24bc37b49c1164a5cd0f1a73160c
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
87KB
MD54c09608911059297fd0dde45ab0e98db
SHA13820ac436a78e911cc87ed170a234eac7335584a
SHA256bdfdf625144efeaf66b92414c680f4d4da08558c1bff94e56b84299f44aefb74
SHA5123a9a9405cb34bb4fae881fed45bdeb07f162ea8bd2ba4d66b3a03a310171212d407a502dc2fe5f80479b459f8a2cce1ac2a7056cdebfaf66cf22c12e9f13f8bb