Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-y3hdcseg6t
Target 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a
SHA256 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a

Threat Level: Known bad

The file 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Detect XtremeRAT payload

Executes dropped EXE

UPX packed file

Checks computer location settings

Drops startup file

Loads dropped DLL

Checks BIOS information in registry

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 20:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 20:18

Reported

2022-11-23 23:13

Platform

win7-20220812-en

Max time kernel

145s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1812 set thread context of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf\ = 2d7f3fc274e4f95aae74dbb729f4914d C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1812 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1156 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1108 wrote to memory of 1044 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1108 wrote to memory of 1044 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1108 wrote to memory of 1044 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1108 wrote to memory of 1044 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe

"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc.doc"

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

"C:\Users\Admin\AppData\Local\Temp\Skpe.exe"

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 goodday.zapto.org udp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 8.8.8.8:53 tvnew.otzo.com udp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp

Files

memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/900-56-0x0000000001DA0000-0x0000000001DB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/1108-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/1812-64-0x0000000000000000-mapping.dmp

memory/1812-66-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1108-67-0x00000000726D1000-0x00000000726D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/1108-70-0x0000000070151000-0x0000000070153000-memory.dmp

memory/900-71-0x00000000034A0000-0x000000000379E000-memory.dmp

memory/1812-72-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1812-73-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1108-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1108-75-0x000000007113D000-0x0000000071148000-memory.dmp

\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/1156-77-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-78-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-81-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1812-80-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1156-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-83-0x0000000000C94930-mapping.dmp

memory/1812-85-0x0000000005700000-0x0000000005704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/1156-88-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-90-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-91-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\doc.doc

MD5 2dc148f5161f0914a2ca0136b088ed44
SHA1 cb47e69bb0fce98c6a16b687e05bba97143822bf
SHA256 84730b81737bf67aa69383aa304a89b5b4da29190d8d6268f80b6e4df90d9463
SHA512 e5a951481ca01eccc3c77069642256ca6822e837240c9b9cee78305570fd05998a98d9dae0e80e71811d7a4953df54d1b2fd732d35fb5e8729dfbfd773cfff21

memory/1156-93-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-94-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1988-97-0x0000000000000000-mapping.dmp

memory/1988-99-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1156-100-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1108-101-0x000000007113D000-0x0000000071148000-memory.dmp

memory/1988-102-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1044-103-0x0000000000000000-mapping.dmp

memory/1044-104-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1108-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1108-107-0x000000007113D000-0x0000000071148000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 20:18

Reported

2022-11-23 23:14

Platform

win10v2004-20221111-en

Max time kernel

185s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf\ = 2d7f3fc274e4f95aef6a08c829f4914d C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2584 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2584 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2584 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2584 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 2344 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Users\Admin\AppData\Local\Temp\Skpe.exe
PID 1820 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe
PID 1820 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\Skpe.exe C:\Windows\SysWOW64\sethc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe

"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc.doc" /o ""

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

"C:\Users\Admin\AppData\Local\Temp\Skpe.exe"

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

C:\Windows\SysWOW64\sethc.exe

sethc.exe

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 72.21.81.240:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.91.29:80 tcp
N/A 13.78.111.198:443 tcp
N/A 13.107.21.200:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 goodday.zapto.org udp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 8.8.8.8:53 tvnew.otzo.com udp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 20.82.209.183:443 tcp
N/A 20.82.209.183:443 tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp
N/A 58.158.177.102:3389 goodday.zapto.org tcp
N/A 172.227.95.162:3389 tvnew.otzo.com tcp

Files

memory/5100-133-0x0000000000000000-mapping.dmp

memory/2344-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/2344-137-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2344-138-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2344-139-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2344-140-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/5100-141-0x00007FF7F07B0000-0x00007FF7F07C0000-memory.dmp

memory/5100-142-0x00007FF7F07B0000-0x00007FF7F07C0000-memory.dmp

memory/5100-143-0x00007FF7F07B0000-0x00007FF7F07C0000-memory.dmp

memory/5100-144-0x00007FF7F07B0000-0x00007FF7F07C0000-memory.dmp

memory/5100-145-0x00007FF7F07B0000-0x00007FF7F07C0000-memory.dmp

memory/1820-146-0x0000000000000000-mapping.dmp

memory/1820-147-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Skpe.exe

MD5 0946f59f7a3718e24ca16f089f7974f6
SHA1 143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256 d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA512 0e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842

memory/2344-150-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2344-151-0x00000000081F0000-0x00000000081F4000-memory.dmp

memory/1820-152-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1820-153-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1820-154-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1820-155-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1736-156-0x0000000000000000-mapping.dmp

memory/5104-157-0x0000000000000000-mapping.dmp

memory/5100-158-0x00007FF7EE640000-0x00007FF7EE650000-memory.dmp

memory/1736-159-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/732-160-0x0000000000000000-mapping.dmp

memory/732-161-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/5104-162-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1820-163-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/5100-164-0x00007FF7EE640000-0x00007FF7EE650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\doc.doc

MD5 2dc148f5161f0914a2ca0136b088ed44
SHA1 cb47e69bb0fce98c6a16b687e05bba97143822bf
SHA256 84730b81737bf67aa69383aa304a89b5b4da29190d8d6268f80b6e4df90d9463
SHA512 e5a951481ca01eccc3c77069642256ca6822e837240c9b9cee78305570fd05998a98d9dae0e80e71811d7a4953df54d1b2fd732d35fb5e8729dfbfd773cfff21

memory/5104-166-0x0000000000C80000-0x0000000000C96000-memory.dmp