Malware Analysis Report

2025-08-11 01:39

Sample ID 230224-qv8xcadd5v
Target Jiuwu Hi-tech Pricelist February 2023.doc
SHA256 19831af2350c4b69c5abfd09278248334c964836ce9b93f9cfb8cd0300fd8e87
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19831af2350c4b69c5abfd09278248334c964836ce9b93f9cfb8cd0300fd8e87

Threat Level: Known bad

The file Jiuwu Hi-tech Pricelist February 2023.doc was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Launches Equation Editor

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 13:36

Reported

2023-02-24 13:38

Platform

win7-20230220-en

Max time kernel

108s

Max time network

34s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Jiuwu Hi-tech Pricelist February 2023.rtf"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\word.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqmvfbk = "C:\\Users\\Admin\\AppData\\Roaming\\vfoktpyiemvrb\\wgplueajfoxtdm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\avxyq.exe\" C:\\Users\\Admin\\AppDa" C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1776 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\word.exe
PID 1920 wrote to memory of 1820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\word.exe
PID 1920 wrote to memory of 1820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\word.exe
PID 1920 wrote to memory of 1820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\word.exe
PID 1820 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\word.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1820 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\word.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1820 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\word.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1820 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\word.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1776 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1776 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1776 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1776 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1776 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1380 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1380 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1380 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Jiuwu Hi-tech Pricelist February 2023.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\word.exe

C:\Users\Admin\AppData\Roaming\word.exe

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe" C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 184

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 kerasiastudios.gr udp
GR 62.1.216.128:80 kerasiastudios.gr tcp

Files

memory/1380-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

\Users\Admin\AppData\Roaming\word.exe

MD5 28c462381899d5a4f67656944b6025f9
SHA1 97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
SHA256 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
SHA512 d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283

C:\Users\Admin\AppData\Roaming\word.exe

MD5 28c462381899d5a4f67656944b6025f9
SHA1 97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
SHA256 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
SHA512 d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283

C:\Users\Admin\AppData\Roaming\word.exe

MD5 28c462381899d5a4f67656944b6025f9
SHA1 97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
SHA256 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
SHA512 d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283

C:\Users\Admin\AppData\Roaming\word.exe

MD5 28c462381899d5a4f67656944b6025f9
SHA1 97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
SHA256 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
SHA512 d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

MD5 6bd6d3f8e44429f2be3e2d45bb17f2f2
SHA1 76e8137a69cb6b15ff0194d67e1fb91aa0e9aed0
SHA256 74538cb526634df66399cba1d4fddc07427059fd81842160ee52aee8b33feff8
SHA512 f142917a41e9d5de39e6818c660c569a9e3b3db96d22c5af2e273a2d5045976593c805d7266a8d4545eb013461c24159b7f70aa3cf405cb1c8cde44a3e26ae0e

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\narwbaekgvw.wt

MD5 bbaa20f28881493009df30cd773b0cc5
SHA1 ac779c0fd7e238a79720d29e837755b011770710
SHA256 0d3de13a7c6651962965e736e1b44d6fb299b53dc7267cdbbd3170d2fa77b07b
SHA512 1d4ef3750936f99778aab04ad81b774cadcb966f08e73a6be935896e81b9ff45e7b3e519391ce54935dae56654b809e8391a9f03d5721956b5d051256cad6242

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

memory/1972-78-0x0000000000080000-0x000000000009D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

memory/1972-85-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1972-91-0x0000000000080000-0x000000000009D000-memory.dmp

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 6985329def35c234a5292ea87acd51b4
SHA1 b98ba4d0f12581d7b58f93b95a5b71275b1f6b68
SHA256 bb7dc0565a128929283c29866709a836fa34672e251cc0a0e9a4ec94e5a5cb99
SHA512 4e455faa889bab2293711c614684286d1303a87983c34ee625ad2a61aac49f925a13dd78c80ad3e818d4a55703decd85a4764e7d891e7d1302ce4d9c739d50aa

memory/1380-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 13:36

Reported

2023-02-24 13:38

Platform

win10v2004-20230220-en

Max time kernel

113s

Max time network

123s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Jiuwu Hi-tech Pricelist February 2023.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Jiuwu Hi-tech Pricelist February 2023.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
IE 13.69.239.73:443 tcp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp

Files

memory/1804-133-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-135-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-134-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-136-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-137-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-138-0x00007FFA42480000-0x00007FFA42490000-memory.dmp

memory/1804-139-0x00007FFA42480000-0x00007FFA42490000-memory.dmp

memory/1804-167-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-168-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-169-0x00007FFA44670000-0x00007FFA44680000-memory.dmp

memory/1804-170-0x00007FFA44670000-0x00007FFA44680000-memory.dmp