Malware Analysis Report

2025-01-03 05:03

Sample ID 230321-rwf4dsda9v
Target 7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.zip
SHA256 ac56401310021b5f3fe74d1991b9cbf46440c622f11b744589d06f44c526ee36
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac56401310021b5f3fe74d1991b9cbf46440c622f11b744589d06f44c526ee36

Threat Level: Known bad

The file 7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.zip was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Process spawned unexpected child process

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win7-20230220-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf"

Signatures

BitRAT

trojan bitrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\taskmgr.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 976 set thread context of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\fdry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fdry.exe
PID 1708 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fdry.exe
PID 1708 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fdry.exe
PID 1708 wrote to memory of 976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Users\Admin\AppData\Roaming\fdry.exe
PID 976 wrote to memory of 988 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 988 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 988 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 988 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\fdry.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1652 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1652 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1652 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\taskmgr.exe
PID 2012 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\taskmgr.exe
PID 2012 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\taskmgr.exe
PID 2012 wrote to memory of 1896 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\taskmgr.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\fdry.exe

C:\Users\Admin\AppData\Roaming\fdry.exe

C:\Users\Admin\AppData\Roaming\fdry.exe

"C:\Users\Admin\AppData\Roaming\fdry.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fdry.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\system32\taskmgr.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {82501794-8AE8-413C-BFBB-75DD5B9617F3} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddl8.data.hu udp
HU 217.65.97.75:443 ddl8.data.hu tcp
US 74.201.28.92:3569 tcp
US 74.201.28.92:3569 tcp

Files

memory/2012-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/976-103-0x0000000001150000-0x0000000001526000-memory.dmp

memory/1532-104-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/976-105-0x0000000004D60000-0x0000000004DA0000-memory.dmp

memory/1532-106-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-107-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-108-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-109-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-110-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-111-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1532-113-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/1532-116-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-119-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-123-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-124-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-126-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-128-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-129-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-130-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-131-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-132-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-133-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1532-134-0x00000000003C0000-0x00000000003CA000-memory.dmp

\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

\Users\Admin\AppData\Roaming\fdry.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/1532-142-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-144-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-145-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-148-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-149-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-150-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-152-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1532-153-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1532-154-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-155-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-156-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-158-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-160-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-162-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-164-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-165-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-166-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win10v2004-20230220-en

Max time kernel

119s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf" /o ""

Network

Country Destination Domain Proto
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 141.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 37.242.123.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 32.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 131.253.33.203:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

memory/4128-133-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-134-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-135-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-136-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-137-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-138-0x00007FFC8F000000-0x00007FFC8F010000-memory.dmp

memory/4128-139-0x00007FFC8F000000-0x00007FFC8F010000-memory.dmp

memory/4128-170-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-171-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-172-0x00007FFC91930000-0x00007FFC91940000-memory.dmp

memory/4128-173-0x00007FFC91930000-0x00007FFC91940000-memory.dmp