Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
Resource
win10v2004-20241007-en
General
-
Target
e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
-
Size
76KB
-
MD5
1b4ef5b81501f757d751a986c6fbc4f0
-
SHA1
2c52e7cebe085f8576498aeee0d69b4d4e109647
-
SHA256
e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374e
-
SHA512
3a86d87718c5e67e9981804c26d4f0dfd55a2d94b8d34d6de7df0ece8f03bdf79d8a84d21ffe0a7c1ace1f7915402ac1e2f2720af6ffa335d15db63ae6255df0
-
SSDEEP
1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoIW:T0aXdfXAyy9DZ+N7eB+IIW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Executes dropped EXE 12 IoCs
pid Process 1032 SVCHOST.EXE 1036 SVCHOST.EXE 3504 SVCHOST.EXE 4944 SVCHOST.EXE 2208 SVCHOST.EXE 636 SPOOLSV.EXE 3096 SVCHOST.EXE 4216 SVCHOST.EXE 3128 SPOOLSV.EXE 4164 SPOOLSV.EXE 3824 SVCHOST.EXE 3260 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened for modification F:\Recycled\desktop.ini e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\M: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\L: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\S: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\H: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\Z: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\R: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\Y: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\U: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\J: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\K: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\N: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\T: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\E: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\P: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\X: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\G: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\I: e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\ Explorer.exe e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\TileInfo = "prop:Type;Size" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\QuickTip = "prop:Type;Size" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\InfoTip = "prop:Type;Write;Size" e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4960 WINWORD.EXE 4960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 636 SPOOLSV.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 1032 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE 3504 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 1032 SVCHOST.EXE 1036 SVCHOST.EXE 3504 SVCHOST.EXE 4944 SVCHOST.EXE 2208 SVCHOST.EXE 636 SPOOLSV.EXE 3096 SVCHOST.EXE 4216 SVCHOST.EXE 3128 SPOOLSV.EXE 4164 SPOOLSV.EXE 3824 SVCHOST.EXE 3260 SPOOLSV.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 416 wrote to memory of 1032 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 81 PID 416 wrote to memory of 1032 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 81 PID 416 wrote to memory of 1032 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 81 PID 1032 wrote to memory of 1036 1032 SVCHOST.EXE 82 PID 1032 wrote to memory of 1036 1032 SVCHOST.EXE 82 PID 1032 wrote to memory of 1036 1032 SVCHOST.EXE 82 PID 1032 wrote to memory of 3504 1032 SVCHOST.EXE 83 PID 1032 wrote to memory of 3504 1032 SVCHOST.EXE 83 PID 1032 wrote to memory of 3504 1032 SVCHOST.EXE 83 PID 3504 wrote to memory of 4944 3504 SVCHOST.EXE 84 PID 3504 wrote to memory of 4944 3504 SVCHOST.EXE 84 PID 3504 wrote to memory of 4944 3504 SVCHOST.EXE 84 PID 3504 wrote to memory of 2208 3504 SVCHOST.EXE 85 PID 3504 wrote to memory of 2208 3504 SVCHOST.EXE 85 PID 3504 wrote to memory of 2208 3504 SVCHOST.EXE 85 PID 3504 wrote to memory of 636 3504 SVCHOST.EXE 86 PID 3504 wrote to memory of 636 3504 SVCHOST.EXE 86 PID 3504 wrote to memory of 636 3504 SVCHOST.EXE 86 PID 636 wrote to memory of 3096 636 SPOOLSV.EXE 87 PID 636 wrote to memory of 3096 636 SPOOLSV.EXE 87 PID 636 wrote to memory of 3096 636 SPOOLSV.EXE 87 PID 636 wrote to memory of 4216 636 SPOOLSV.EXE 88 PID 636 wrote to memory of 4216 636 SPOOLSV.EXE 88 PID 636 wrote to memory of 4216 636 SPOOLSV.EXE 88 PID 636 wrote to memory of 3128 636 SPOOLSV.EXE 89 PID 636 wrote to memory of 3128 636 SPOOLSV.EXE 89 PID 636 wrote to memory of 3128 636 SPOOLSV.EXE 89 PID 1032 wrote to memory of 4164 1032 SVCHOST.EXE 90 PID 1032 wrote to memory of 4164 1032 SVCHOST.EXE 90 PID 1032 wrote to memory of 4164 1032 SVCHOST.EXE 90 PID 416 wrote to memory of 3824 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 91 PID 416 wrote to memory of 3824 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 91 PID 416 wrote to memory of 3824 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 91 PID 416 wrote to memory of 3260 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 92 PID 416 wrote to memory of 3260 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 92 PID 416 wrote to memory of 3260 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 92 PID 416 wrote to memory of 4960 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 93 PID 416 wrote to memory of 4960 416 e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe"C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1036
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3824
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3260
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD588d4bf976836212fb4638ae9beeb5c8a
SHA121a50bedbdc4fba5ad88c03a2f79a5f96fbaf601
SHA2567d263d66085110aaca5a303c1253cfcca886619b08dee6a0a60ff42c9d2a6bf1
SHA51252c890bcf7212a745296d130c5e4e84258882b074829c7fa63d84f1145a57c155a43ac572d1de1941277b9800780fcb757839294a5c65289cdb45cf5768c82d3
-
Filesize
76KB
MD58cc25461a147bfa1853e5d682730365f
SHA18cac90573d4119ed6ef2bae86bd152e5142f77d3
SHA256457cd473c0e147f69c196228c7dcd359d0e62da9cadd8b4250eef0f9c0982a85
SHA51281bb50754bc92444f60da8df206f1331c7f8aa957cdee9ee7e3af4afc85f58ca006bf15a3bc9e06891d8a4fad97ac147569c813f57c5ce6846e9abccea5d4066
-
Filesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
76KB
MD51b43e83b317b915154f414aa6d07b2a7
SHA170b9aeaa9c96b74fa09fe7ac3ba1dff5fe5c3390
SHA2566241df3c4d5078e3ac21751973a9e6c3ea6762dc9498add052554cd47c634344
SHA5121ba38dcd1d47d1147457ea14017b636ba4b7080d1c2aa0c64fcb12e0082d05f7a3d08c32f95290baf338a2b47e83a96f2abc24e63de86d602fdc469c369119db
-
Filesize
76KB
MD5bd8532662d792a94ae0343dcf44f5247
SHA134c8fd182c61364521505f5d1f2962f3ab785825
SHA2560a508d0cbfbd7d02eeb975713057c0ce3ef91e143c8a595e5b602c0546f52dc3
SHA5121ebce5f823abe91de164271509a00d46fb9d0cf0e9fa4302aebd01292c0b303d6277a06b95ff7599aedc2fd5277f3c2ce000e34e84ba0752293eead28231e277
-
Filesize
76KB
MD5a06333b9b6ca3505c62bef750838189b
SHA18b091f0fb87e8854334df5d83c4a2c2118e966da
SHA256db086e49c19a74e4be83db82ac578579d0a6adc7d884a1cb46c3754b4c660d39
SHA512f1b6447fdcc5d12a46af21e9bd78e17ba2a73d7bc9b3d43574ca98ab7fc4546673fdee5a5fb19768aa30540eb46238dbb96822007aa8f7e16bea6ad5d1f3f69a
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
76KB
MD5d02717285294436093f4d7e660e4b366
SHA134d0429343478f7996ea980729b7c86f248c8885
SHA256ce4106d4603b45655cbb808f10367fff0c087352dd4aa9c3b21c6b1b6fd511fd
SHA5127d6a37f56bd800cde6b30795d8e44bfce4e2d73ed227717ca6079b5f413d511186123550ddc6fbf8acf348705714f87de75796910f0f5124ccf3e207cc16ce45