Analysis Overview
SHA256
2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1
Threat Level: Known bad
The file 2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1 was found to be: Known bad.
Malicious Activity Summary
BetaBot
Process spawned unexpected child process
Modifies firewall policy service
Executes dropped EXE
Sets file execution options in registry
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Office loads VBA resources, possible macro or embedded object present
NTFS ADS
Suspicious behavior: MapViewOfSection
Kills process with taskkill
Enumerates system info in registry
Modifies Internet Explorer settings
Launches Equation Editor
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer Protected Mode
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-24 22:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-24 22:38
Reported
2022-07-24 22:41
Platform
win7-20220715-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ea3w5msa7m11ys.exe | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ea3w5msa7m11ys.exe\DisableExceptionChainValidation | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rtaamps.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ea3w5msa7m11ys.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ea3w5msa7m11ys.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 1996 | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | C:\Users\Admin\appdata\local\temp\exe.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Office loads VBA resources, possible macro or embedded object present
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\appdata\local\temp\exe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\apPdata\loCal\teMp\taSk.baT
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1692346669773449524-928423002-1010073379481641021-804847515-804075916947845424"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\appdata\local\temp\2nd.bat
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\apPdata\loCal\teMp\taSk.baT
C:\Windows\SysWOW64\timeout.exe
TIMEOUT 1
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\SysWOW64\cMD.exe
cMD Cmd /c %tmP%\TAsk.Bat & UUUUc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\appdata\local\temp\exe.exe
C:\Users\Admin\appdata\local\temp\ExE.exe
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM winword.exe
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Users\Admin\appdata\local\temp\exe.exe
C:\Users\Admin\appdata\local\temp\ExE.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.52.29:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | pnifp.com | udp |
Files
memory/516-54-0x0000000072981000-0x0000000072984000-memory.dmp
memory/516-55-0x0000000070401000-0x0000000070403000-memory.dmp
memory/516-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/516-57-0x0000000076031000-0x0000000076033000-memory.dmp
memory/516-58-0x00000000713ED000-0x00000000713F8000-memory.dmp
memory/2012-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\apPdata\loCal\teMp\TasK.BaT
| MD5 | 6dc34de53453f0fa267653a69f34831c |
| SHA1 | 7b69e96fd1c5ac9063e973d8214286e8e3fb01e9 |
| SHA256 | 0b1212179f11b6672a53a67ad42d24cfafc1064b487b1a0cb5b3318df7cbeedf |
| SHA512 | 370043219d716f0499bd3e782132a16fff0e331a66960dcbc892e7321160f5d88ed335760f5b29da3437f7c501732d9dd21a3c1b2d8c0d798fc04f1568813532 |
memory/1900-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\appdata\local\temp\2nd.bat
| MD5 | 6ff10253be7f8323ce4bf62b75e16ffe |
| SHA1 | c5f0a5e8886b142009313330e56aaf208d65daff |
| SHA256 | 961cb46c41ef78ed21fbac361e6fe247bee82c03db354007a55fcfab8b5b3b3d |
| SHA512 | c4423cc288cfb46ee50d57ab14295775527f17559f9a20e864eb416028b546632bb49526b508ce7969792e741aa929d54b71472a50bb1876a5d82f5bd2a76ff9 |
memory/980-64-0x0000000000000000-mapping.dmp
memory/1472-63-0x0000000000000000-mapping.dmp
memory/1696-66-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\exe.exe
| MD5 | 0a59cbcabc60f52d931e34bcb2824a47 |
| SHA1 | 1616283dae6e5b94db9d178c4d4781f8faa184f9 |
| SHA256 | 641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a |
| SHA512 | fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2 |
C:\Users\Admin\appdata\local\temp\exe.exe
| MD5 | 0a59cbcabc60f52d931e34bcb2824a47 |
| SHA1 | 1616283dae6e5b94db9d178c4d4781f8faa184f9 |
| SHA256 | 641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a |
| SHA512 | fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2 |
memory/1676-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\exe.exe
| MD5 | 0a59cbcabc60f52d931e34bcb2824a47 |
| SHA1 | 1616283dae6e5b94db9d178c4d4781f8faa184f9 |
| SHA256 | 641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a |
| SHA512 | fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2 |
memory/1868-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsy1FA3.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/516-74-0x00000000713ED000-0x00000000713F8000-memory.dmp
memory/860-75-0x0000000000000000-mapping.dmp
memory/776-76-0x0000000000000000-mapping.dmp
memory/1880-77-0x0000000000000000-mapping.dmp
memory/1364-78-0x0000000000000000-mapping.dmp
memory/564-79-0x0000000000000000-mapping.dmp
memory/1256-80-0x0000000000000000-mapping.dmp
memory/320-81-0x0000000000000000-mapping.dmp
memory/1540-82-0x0000000000000000-mapping.dmp
memory/884-83-0x0000000000000000-mapping.dmp
memory/1428-85-0x0000000000000000-mapping.dmp
memory/1808-84-0x0000000000000000-mapping.dmp
memory/1620-87-0x0000000000000000-mapping.dmp
memory/1676-88-0x00000000021F0000-0x0000000002E3A000-memory.dmp
memory/1012-86-0x0000000000000000-mapping.dmp
memory/1580-89-0x0000000000000000-mapping.dmp
memory/1604-90-0x0000000000000000-mapping.dmp
memory/1676-91-0x00000000021F0000-0x0000000002E3A000-memory.dmp
\Users\Admin\AppData\Local\Temp\exe.exe
| MD5 | 0a59cbcabc60f52d931e34bcb2824a47 |
| SHA1 | 1616283dae6e5b94db9d178c4d4781f8faa184f9 |
| SHA256 | 641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a |
| SHA512 | fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2 |
memory/1996-93-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\exe.exe
| MD5 | 0a59cbcabc60f52d931e34bcb2824a47 |
| SHA1 | 1616283dae6e5b94db9d178c4d4781f8faa184f9 |
| SHA256 | 641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a |
| SHA512 | fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2 |
memory/1996-96-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1996-97-0x0000000001CC0000-0x0000000001D26000-memory.dmp
memory/1996-98-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1996-99-0x00000000001E0000-0x00000000001ED000-memory.dmp
memory/1996-100-0x0000000001CC0000-0x0000000001D26000-memory.dmp
memory/1996-102-0x0000000000650000-0x000000000065C000-memory.dmp
memory/560-103-0x0000000000000000-mapping.dmp
memory/560-105-0x0000000074C81000-0x0000000074C83000-memory.dmp
memory/560-106-0x00000000777F0000-0x0000000077970000-memory.dmp
memory/560-107-0x00000000004B0000-0x0000000000567000-memory.dmp
memory/560-108-0x0000000000620000-0x000000000062C000-memory.dmp
memory/1996-109-0x0000000001CC0000-0x0000000001D26000-memory.dmp
memory/560-110-0x00000000777F0000-0x0000000077970000-memory.dmp
memory/560-111-0x00000000004B0000-0x0000000000567000-memory.dmp
memory/1268-112-0x0000000002980000-0x0000000002986000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-24 22:38
Reported
2022-07-24 22:41
Platform
win10v2004-20220721-en
Max time kernel
107s
Max time network
125s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{2A59B1FB-5A2C-42E9-A9FD-EC9BEAD6B837}\iNteldriVerupd1.sCt:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{2A59B1FB-5A2C-42E9-A9FD-EC9BEAD6B837}\decoy.doc:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{2A59B1FB-5A2C-42E9-A9FD-EC9BEAD6B837}\exe.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{2A59B1FB-5A2C-42E9-A9FD-EC9BEAD6B837}\TasK.BaT:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{2A59B1FB-5A2C-42E9-A9FD-EC9BEAD6B837}\2nd.bat:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | itest1.ru | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/4920-130-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-132-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-131-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-133-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-134-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-135-0x00007FFBD6070000-0x00007FFBD6080000-memory.dmp
memory/4920-136-0x00007FFBD6070000-0x00007FFBD6080000-memory.dmp
memory/4920-138-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-139-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-140-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp
memory/4920-141-0x00007FFBD82F0000-0x00007FFBD8300000-memory.dmp