Analysis Overview
SHA256
328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290
Threat Level: Known bad
The file 328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Sets file execution options in registry
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
NTFS ADS
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Launches Equation Editor
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Modifies Internet Explorer Protected Mode
Kills process with taskkill
Modifies Internet Explorer Protected Mode Banner
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-31 05:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-31 05:01
Reported
2022-07-31 06:50
Platform
win7-20220718-en
Max time kernel
199s
Max time network
190s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ceek3yi9ee53o9a.exe | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ceek3yi9ee53o9a.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ucok.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ceek3yi9ee53o9a.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ceek3yi9ee53o9a.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1108 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.exe | C:\Users\Admin\AppData\Local\Temp\mondi.eXe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Office loads VBA resources, possible macro or embedded object present
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier | C:\Windows\SysWOW64\cMd.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\mondi.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf"
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\SysWOW64\cMd.exe
cMd /k %tEmP%\dqfm.cmd ? aaaac
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1906132391-389951473-14306924981615920992-2112124796-992308298799363397-99359662"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmD
C:\Windows\SysWOW64\timeout.exe
TIMEOUT 1
C:\Users\Admin\AppData\Local\Temp\mondi.exe
C:\Users\Admin\AppData\Local\Temp\mondi.eXe
C:\Windows\SysWOW64\taskkill.exe
TASkKILL /F /IM winword.exe
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Users\Admin\AppData\Local\Temp\mondi.eXe
C:\Users\Admin\AppData\Local\Temp\mondi.eXe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.109.209.108:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | pan-qroup.com | udp |
Files
memory/1172-54-0x0000000072DC1000-0x0000000072DC4000-memory.dmp
memory/1172-55-0x0000000070841000-0x0000000070843000-memory.dmp
memory/1172-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1172-57-0x0000000075CB1000-0x0000000075CB3000-memory.dmp
memory/1172-58-0x000000007182D000-0x0000000071838000-memory.dmp
memory/1304-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dqfm.cmd
| MD5 | 29324996d120283c617a7a142b5ba980 |
| SHA1 | 43aa940b29713a6e75f30a6b614352c3bba24d6c |
| SHA256 | 2ab6f8f8b4f358a0f821de0710c3227dcbd1a3fa31172fda39ab44052a6cf021 |
| SHA512 | 21c4d36887c72d01f9d2913c61e9d443169351a1c97b81a503712f0a224d50484100493dc971121ab71343b372440c0633fb062bb4930d1e6f53d455c9352b48 |
C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/332-63-0x0000000000000000-mapping.dmp
memory/1888-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\mondi.exe
| MD5 | f807bc3379e9020ea229c1757c8bc257 |
| SHA1 | 1749d613fe4159efcd3fdc3c4dfb621bd447be5e |
| SHA256 | df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198 |
| SHA512 | b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c |
memory/1108-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mondi.exe
| MD5 | f807bc3379e9020ea229c1757c8bc257 |
| SHA1 | 1749d613fe4159efcd3fdc3c4dfb621bd447be5e |
| SHA256 | df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198 |
| SHA512 | b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c |
memory/1224-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsuA97B.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
\Users\Admin\AppData\Local\Temp\teasels.dll
| MD5 | 2bca48f9681de2a01180e3e3a4170238 |
| SHA1 | e097d8f8c9c51c777e7e1f720624ca9a0961b821 |
| SHA256 | 5f2d209fb93640bf6c81cbddaa00d1c2e120228e7fa34161ad2786e3f0f8b1cb |
| SHA512 | 5860b0d09cb0393efb8ea11d34de4a78a24adcb779c516ff7657cf44e5c54fbaeb343c9d005275d5915733ac149981cdc2af2f7d3f5db5d51cbd953cae073165 |
memory/1964-74-0x0000000000000000-mapping.dmp
memory/1956-75-0x0000000000000000-mapping.dmp
memory/2016-76-0x0000000000000000-mapping.dmp
memory/540-78-0x0000000000000000-mapping.dmp
memory/284-79-0x0000000000000000-mapping.dmp
memory/1060-77-0x0000000000000000-mapping.dmp
memory/772-80-0x0000000000000000-mapping.dmp
memory/1896-81-0x0000000000000000-mapping.dmp
memory/1864-82-0x0000000000000000-mapping.dmp
memory/1424-83-0x0000000000000000-mapping.dmp
memory/2020-84-0x0000000000000000-mapping.dmp
memory/1004-85-0x0000000000000000-mapping.dmp
memory/1472-86-0x0000000000000000-mapping.dmp
memory/576-87-0x0000000000000000-mapping.dmp
memory/1976-88-0x0000000000000000-mapping.dmp
memory/1940-90-0x0000000000000000-mapping.dmp
memory/1872-91-0x0000000000000000-mapping.dmp
memory/756-89-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\mondi.exe
| MD5 | f807bc3379e9020ea229c1757c8bc257 |
| SHA1 | 1749d613fe4159efcd3fdc3c4dfb621bd447be5e |
| SHA256 | df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198 |
| SHA512 | b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c |
memory/980-95-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-94-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-93-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-97-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-99-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-98-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-101-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mondi.exe
| MD5 | f807bc3379e9020ea229c1757c8bc257 |
| SHA1 | 1749d613fe4159efcd3fdc3c4dfb621bd447be5e |
| SHA256 | df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198 |
| SHA512 | b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c |
memory/980-100-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-104-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-106-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-107-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/980-109-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-110-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/980-111-0x0000000000290000-0x000000000029D000-memory.dmp
memory/980-112-0x0000000001FE0000-0x0000000001FEC000-memory.dmp
memory/1476-113-0x0000000000000000-mapping.dmp
memory/1476-115-0x0000000077B80000-0x0000000077D00000-memory.dmp
memory/980-116-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/1476-117-0x0000000075111000-0x0000000075113000-memory.dmp
memory/1476-118-0x0000000000090000-0x000000000014C000-memory.dmp
memory/1476-119-0x00000000002A0000-0x00000000002AD000-memory.dmp
memory/1476-120-0x0000000000390000-0x000000000039C000-memory.dmp
memory/1476-121-0x0000000077B80000-0x0000000077D00000-memory.dmp
memory/1476-122-0x0000000000090000-0x000000000014C000-memory.dmp
memory/1280-123-0x00000000022E0000-0x00000000022E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-31 05:01
Reported
2022-07-31 06:50
Platform
win10v2004-20220721-en
Max time kernel
160s
Max time network
176s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{153EFAD2-E8CE-492F-80D7-6CB0F0E74228}\gondi.doc:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{153EFAD2-E8CE-492F-80D7-6CB0F0E74228}\dqfm.cmd:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{153EFAD2-E8CE-492F-80D7-6CB0F0E74228}\hondi.cmd:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{153EFAD2-E8CE-492F-80D7-6CB0F0E74228}\mondi.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/4860-130-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-131-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-132-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-133-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-134-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-135-0x00007FFCCF8B0000-0x00007FFCCF8C0000-memory.dmp
memory/4860-136-0x00007FFCCF8B0000-0x00007FFCCF8C0000-memory.dmp
memory/4860-138-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-140-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-139-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp
memory/4860-141-0x00007FFCD2210000-0x00007FFCD2220000-memory.dmp