452320f3b1da42b30c32ea5ab5887983b575638ceb4e3beacfefbbb3b0510a48

Analysis

max time kernel
127s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 04:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExtPack-license.rtf
Size

19KB
MD5

1af9462955585fc3eb3af21c08da6b6a
SHA1

5b1fb945ef7021bb192b1a508f60aabd525ea1a7
SHA256

017549f1245343e96ddddfe1b8c37efea090cef9733bc276335c13b1a71e1c13
SHA512

ee6f95ce4abc6058ec3504db5349aa45e2dd9ff130d4d75a2493344723a344186e22c83c2f2249856964a629cbe8cc3896d11b94b92157a6caaba8158bedbabb
SSDEEP

192:wJrjv1Mf4g/y4pKnhDJIT0TyPH7cDcpr5wcgd3+EoXG6xoB0yDGpRpP7irYY:whAJ/1pKkITspr5qOoDDGBGp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3056	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ExtPack-license.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

DNS

164.2.77.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.2.77.40.in-addr.arpa

IN PTR

Response
DNS

164.113.223.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.113.223.173.in-addr.arpa

IN PTR

Response

164.113.223.173.in-addr.arpa

IN PTR

a173-223-113-164deploystaticakamaitechnologiescom
DNS

250.108.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

250.108.137.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

191.88.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.88.109.52.in-addr.arpa

IN PTR

Response
DNS

16.42.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.42.107.13.in-addr.arpa

IN PTR

Response
DNS

26.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.73.42.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

14.103.197.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.103.197.20.in-addr.arpa

IN PTR

Response
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response
DNS

99.113.223.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.113.223.173.in-addr.arpa

IN PTR

Response

99.113.223.173.in-addr.arpa

IN PTR

a173-223-113-99deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

250.255.255.239.in-addr.arpa

Remote address:

8.8.8.8:53

Request

250.255.255.239.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet

40.77.2.164:443

276 B
6
52.152.110.14:443

208 B
4
20.50.201.200:443

322 B
7
8.238.21.126:80

322 B
7
93.184.220.29:80

322 B
7
8.238.21.126:80

322 B
7
8.238.21.126:80

322 B
7

8.8.8.8:53

164.2.77.40.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

164.2.77.40.in-addr.arpa
8.8.8.8:53

164.113.223.173.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

164.113.223.173.in-addr.arpa
8.8.8.8:53

250.108.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

250.108.137.52.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

191.88.109.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

191.88.109.52.in-addr.arpa
8.8.8.8:53

16.42.107.13.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

16.42.107.13.in-addr.arpa
8.8.8.8:53

26.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

26.73.42.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

14.103.197.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.103.197.20.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa
8.8.8.8:53

99.113.223.173.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

99.113.223.173.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

250.255.255.239.in-addr.arpa

dns

74 B
131 B
1
1

DNS Request

250.255.255.239.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
fd598abff4f90d5768a2c3cd4b454e59

SHA1
f840de286ae351e38d5bb03817239518bbcce840

SHA256
5843591794c1708f5d696ebdc9585c9a818866146dd2e6c901fb931657b592ab

SHA512
3c5d9f8f5cb7bd53edc5be1cb67c79488cef5d0c24829088f72e9ff13e30ffb4bec408cb2a19076b3fd98035e0306536164bf71d3c5cef2fb4ff39853318f686

Download Submit
memory/3056-215-0x0000027965930000-0x0000027965931000-memory.dmp

Filesize
4KB

Download
memory/3056-209-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-239-0x0000027965A70000-0x0000027965A71000-memory.dmp

Filesize
4KB

Download
memory/3056-238-0x0000027965A70000-0x0000027965A71000-memory.dmp

Filesize
4KB

Download
memory/3056-236-0x0000027965A60000-0x0000027965A61000-memory.dmp

Filesize
4KB

Download
memory/3056-224-0x0000027965860000-0x0000027965861000-memory.dmp

Filesize
4KB

Download
memory/3056-221-0x0000027965920000-0x0000027965921000-memory.dmp

Filesize
4KB

Download
memory/3056-218-0x0000027965930000-0x0000027965931000-memory.dmp

Filesize
4KB

Download
memory/3056-208-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-216-0x0000027965920000-0x0000027965921000-memory.dmp

Filesize
4KB

Download
memory/3056-172-0x000002795D640000-0x000002795D650000-memory.dmp

Filesize
64KB

Download
memory/3056-188-0x000002795D740000-0x000002795D750000-memory.dmp

Filesize
64KB

Download
memory/3056-204-0x0000027965CE0000-0x0000027965CE1000-memory.dmp

Filesize
4KB

Download
memory/3056-205-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-214-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-206-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-213-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-207-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-210-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-211-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-212-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/5072-170-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-134-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-133-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-171-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-169-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-168-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-139-0x00007FFB6D3D0000-0x00007FFB6D3E0000-memory.dmp

Filesize
64KB

Download
memory/5072-135-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-138-0x00007FFB6D3D0000-0x00007FFB6D3E0000-memory.dmp

Filesize
64KB

Download
memory/5072-137-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-136-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.