Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 20:59
Static task
static1
Behavioral task
behavioral1
Sample
23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Resource
win10v2004-20241007-en
General
-
Target
23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
-
Size
45KB
-
MD5
d60407179c6134a465383bc6bbf6a2dd
-
SHA1
ad21182f3d32f5b6b14b5343d7b0ade9e4cdd234
-
SHA256
23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85
-
SHA512
d0ee8941be9652677db799d6888b73f320246b6e0050b153db9b0b3fd32df2f748d7483c97b00df8decff004799e4c722ee55a03d8c1738cdf9d92c70b680261
-
SSDEEP
768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JXn:5UWXaMU5Xvp3FrbCEnn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Executes dropped EXE 12 IoCs
pid Process 1720 SVCHOST.EXE 2664 SVCHOST.EXE 4904 SVCHOST.EXE 1384 SVCHOST.EXE 1388 SVCHOST.EXE 1868 SPOOLSV.EXE 1656 SVCHOST.EXE 2308 SVCHOST.EXE 5060 SPOOLSV.EXE 4152 SPOOLSV.EXE 2452 SVCHOST.EXE 4604 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened for modification F:\Recycled\desktop.ini 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\W: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\U: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\R: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\I: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\T: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\P: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\S: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Y: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\E: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\N: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\H: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\M: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\K: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\V: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\Q: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\Z: 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\Y: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings Explorer.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3472 WINWORD.EXE 3472 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 1868 SPOOLSV.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 4904 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 4904 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 1720 SVCHOST.EXE 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3472 WINWORD.EXE 3472 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 1720 SVCHOST.EXE 2664 SVCHOST.EXE 4904 SVCHOST.EXE 1384 SVCHOST.EXE 1388 SVCHOST.EXE 1868 SPOOLSV.EXE 1656 SVCHOST.EXE 2308 SVCHOST.EXE 5060 SPOOLSV.EXE 4152 SPOOLSV.EXE 2452 SVCHOST.EXE 4604 SPOOLSV.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE 3472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3084 wrote to memory of 1720 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 83 PID 3084 wrote to memory of 1720 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 83 PID 3084 wrote to memory of 1720 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 83 PID 1720 wrote to memory of 2664 1720 SVCHOST.EXE 84 PID 1720 wrote to memory of 2664 1720 SVCHOST.EXE 84 PID 1720 wrote to memory of 2664 1720 SVCHOST.EXE 84 PID 1720 wrote to memory of 4904 1720 SVCHOST.EXE 85 PID 1720 wrote to memory of 4904 1720 SVCHOST.EXE 85 PID 1720 wrote to memory of 4904 1720 SVCHOST.EXE 85 PID 4904 wrote to memory of 1384 4904 SVCHOST.EXE 86 PID 4904 wrote to memory of 1384 4904 SVCHOST.EXE 86 PID 4904 wrote to memory of 1384 4904 SVCHOST.EXE 86 PID 4904 wrote to memory of 1388 4904 SVCHOST.EXE 87 PID 4904 wrote to memory of 1388 4904 SVCHOST.EXE 87 PID 4904 wrote to memory of 1388 4904 SVCHOST.EXE 87 PID 4904 wrote to memory of 1868 4904 SVCHOST.EXE 88 PID 4904 wrote to memory of 1868 4904 SVCHOST.EXE 88 PID 4904 wrote to memory of 1868 4904 SVCHOST.EXE 88 PID 1868 wrote to memory of 1656 1868 SPOOLSV.EXE 89 PID 1868 wrote to memory of 1656 1868 SPOOLSV.EXE 89 PID 1868 wrote to memory of 1656 1868 SPOOLSV.EXE 89 PID 1868 wrote to memory of 2308 1868 SPOOLSV.EXE 90 PID 1868 wrote to memory of 2308 1868 SPOOLSV.EXE 90 PID 1868 wrote to memory of 2308 1868 SPOOLSV.EXE 90 PID 1868 wrote to memory of 5060 1868 SPOOLSV.EXE 91 PID 1868 wrote to memory of 5060 1868 SPOOLSV.EXE 91 PID 1868 wrote to memory of 5060 1868 SPOOLSV.EXE 91 PID 1720 wrote to memory of 4152 1720 SVCHOST.EXE 92 PID 1720 wrote to memory of 4152 1720 SVCHOST.EXE 92 PID 1720 wrote to memory of 4152 1720 SVCHOST.EXE 92 PID 3084 wrote to memory of 2452 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 93 PID 3084 wrote to memory of 2452 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 93 PID 3084 wrote to memory of 2452 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 93 PID 3084 wrote to memory of 4604 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 94 PID 3084 wrote to memory of 4604 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 94 PID 3084 wrote to memory of 4604 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 94 PID 1720 wrote to memory of 4688 1720 SVCHOST.EXE 95 PID 1720 wrote to memory of 4688 1720 SVCHOST.EXE 95 PID 1720 wrote to memory of 4688 1720 SVCHOST.EXE 95 PID 4688 wrote to memory of 4056 4688 userinit.exe 96 PID 4688 wrote to memory of 4056 4688 userinit.exe 96 PID 3084 wrote to memory of 3472 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 97 PID 3084 wrote to memory of 3472 3084 23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe"C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE4⤵
- Modifies registry class
PID:4056
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4604
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5772f5b9696326e993794e8a8efff7e15
SHA1d9ac3d7667890f07d190231d8cd48b30dc855717
SHA256cfd48cd5ce9dfd5e3ae84f7a3c4372ad256f372de38a5a4540bbc17b71839172
SHA5123f5f39f0a432b2e52e3fcd59f8dc3af67c966540e4d9ececb56823ea34197a502bc941bd8681e111dd3e3dc9416d35e4b954d620018a63ac7e38c77d1a1c2d55
-
Filesize
45KB
MD50793e1c74f49df8baa07dc9a99e787a2
SHA1d3ac8ed8ec353f2b39a3af75012e95b2c0c3ac6f
SHA2561c06940e23fa4dfe20037afc79cb7b5874ca53f74af2382d5f3b0f7b2f533499
SHA512547e0ca5ee3ebf01c098775a669c8712032de650d8f0fb79969be2e550f90df3c015cfc6ab59d8460ba2a1b6e7aa9cdd152f14b935747cfc38c8e9ff7ac0ab02
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD580ab5630aea8969f0377707581f9d483
SHA136a705f8068047306e7429e472215d0572d0901e
SHA256c1c8ba1c5be51572f82e78b57b7b8158cc6df9d38346f069c215d74185ddb657
SHA51217a25602c2e3c0b499839a0820178e8d96a03c7b4ed5d0f555a191118f91364acfb6c9a646e0be32200e7dea3091fcc8e950d5c815529998bdb2c395553ffbeb
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD5849d1422a6f8cd5a54ec3348e661be16
SHA1e8e99dc9a042d3208adc62d2cbb32505b6be7274
SHA256756e28c903c672641cf67b4ac4e7e90bd3419e3f3ef33d186544eefe30e380b9
SHA5120202557c1a82abe3af0ffd29bec8d61b9c27a3e3e9d91938f8b27c8870974dbed531c78238c5e1dd206749b71258af2cf90e77fcbb91bed55ee9240f2ca02320